iOS 9 arrived with an upgraded Siri who seamlessly listens to and carries out the commands of the owner. As it turns out, it will also easily carry out the wishes of hackers sitting 16 feet away.
As noted by Wired, two researchers at a French government agency, ANSSI, showcased the use of radio waves to quietly relay voice commands to Siri or Google Now-enabled devices.
But there are major limitations to this and besides if Siri or Google Now is already enabled on the phone, the hack would require “a pair of headphones with a microphone plugged into its jack.”
As rightly pointed out by Wired, “Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone.”
In a paper written by José Lopes Esteves and Chaouki Kasmi and published by IEEE, Vincent Strubel, the director of the research group at ANSSI, said, “The sky is the limit here. Everything you can do through the voice interface you can do remotely and discreetly through electromagnetic waves.”
So yes, the hacker, if successful would be able to do anything using voice commands, that the owner of the device would do. This includes making calls and sending messages. They can also browse through malware websites, send spam mails and even access the owner’s social media accounts.
As scary as this sounds, there is one relief in the fact that when any command is given to the device, the screen lights up and this alerts the user.
It is highly likely that the users will see a command being given to Siri, which they clearly didn’t and cancel it out before any damage could be made. Also, having it set to act only on the owner’s voice, whether it be on the iPhone or Android devices, would also prevent it from being hacked.
In another scenario, hackers can be present in public places with large crowds, such as an airport and give silent commands to many devices in the vicinity. Unkowing users with phones in their handbags or pockets would definitely be at risk.
However, as Gavin Reid, VP of threat intelligence for Lancope shared with Forbes, “This attack is less likely to be leveraged by the criminal underground especially with other methods much easier to implement”.