You might want to think twice about leaving your headphones plugged in to your smartphone when you’re not using them. Researchers have determined that the combination of headphones with a microphone and a voice-activated virtual assistant like Siri or Google Now enables them to remotely control a mobile device using a radio signal.
I wrote this post about the hack, and why it’s unlikely to pose a significant risk:
One of the new features in iOS 9 is the ability to train Siri to only recognize your voice so your phone doesn’t respond to commands from just anybody. According to a report from Wired, though, a pair of researchers at ANSSI—a French government agency—have figured out a way to use radio waves to silently activate Siri or Android’s Google Now from across the room.
The hack only works if the target device has Siri or Google Now enabled, and has headphones or earbuds plugged in that also have a microphone. Wired explains, “Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone.”
In theory, the attack could be used to anything you can do using the Siri or Google Now voice interaction. The attacker could make calls, send text messages, open malicious websites, send spam or phishing emails, or post to social networks like Facebook and Twitter. By placing an outbound call to the attacker’s own phone the hack could be used to surreptitiously eavesdrop on the victim.
That’s the doomsday scenario version. Now, let’s scale it back and look at how plausible it is for an attack like this to actually work. Most of the time that you have headphones plugged in to your smartphone you’re also listening to them. When Siri or Google Now are activated—even if initiated silently over the airwaves—they typically make some sort of noise indicating that they’re ready to listen to your voice command, and they respond verbally by default so if you’re wearing the headphones you should immediately realize something suspicious is going on.
Even if you’re not actively wearing the headphones—maybe your headphones are plugged in but the smartphone and headphones are just sitting on a table in front of you—it would be challenging to activate the virtual assistant without alerting you. The display generally comes to life and displays your request along with the response from Siri or Google now. If you’re sitting there, minding your own business, and your smartphone suddenly springs to life you’d probably notice.
Assuming your smartphone has the headphones plugged in, but you’re not wearing the headphones to hear the voice interaction, and the smartphone is lying face down so you can’t see the interaction on the display it is theoretically possible, but still highly unlikely. The attack requires unique hardware and only has a range of between six and sixteen feet according to the researchers—depending on the size and power of the radio and antenna.
Read the full story on Forbes: Hackers Can Turn Siri And Google Now Against You.