Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Intelligent Machines

Computers Could Talk Themselves into Giving Up Secrets

Malware might use a voice synthesizer to bypass some security controllers, researchers say.

Voice control and other assistive technologies are on hundreds of millions of PCs and smartphones.

Voice-control features designed to make PCs and smartphones easier to use, especially for people with disabilities, may also provide ways for hackers to bypass security protections and access the data stored on those devices.

Accessibility features are there for a good reason—they make it possible to control what’s happening on the graphical user interface without typing. But if they aren’t designed carefully, these features can be abused.

Researchers at Georgia Tech found that they could sidestep security protocols by using voice controls to enter text or click buttons. In a paper on the work, the researchers describe 12 ways to attack phones with Android, iOS, Windows, or Ubuntu Linux operating systems, including some that would not require physical access to the device. The paper will be presented next week at the CCS’14 conference in Scottsdale, Arizona.

One attack showed how a piece of malware could use Windows Speech Recognition to talk its way into running commands that normally require a higher level of privilege, demonstrated on a laptop here.

Another demonstration showed how malware could attack a smartphone. It exploits the fact that Google Now, a voice-controlled assistant that comes with the Android operating system, can use a voiceprint in lieu of a typed passcode. The researchers show how an attacker might record the authentication phrase on a Moto X phone, and then use a generic text-to-speech program to issue other commands as if it were the user. The attack is shown here.

“This is an important wake-up call for major OS vendors: Microsoft, Apple, and the Linux community,” says Radu Sion, director of the National Security Institute at Stony Brook University.

Wenke Lee, the Georgia Tech computer scientist who led the work, says the problems appear to be the result of incorporating speech recognition and other features into phones late in the development cycle.

“I think there are fundamental issues here that are hard to fix,” says Lee. “These features were added after the OS had been implemented, so these features don’t have the same kinds of security checks.”

Hackers could exploit the vulnerabilities remotely to initiate or escalate an attack on a device, Lee says. Although a phone that starts speaking to itself could be fairly obvious to the user, a malicious app could keep track of motion data and wait until the phone was not moving for a long period, indicating that the user was probably not nearby, Lee says.

Keep up with the latest in intelligent machines at EmTech Digital.

The Countdown has begun.
March 25-26, 2019
San Francisco, CA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to MIT Technology Review.
  • Print + All Access Digital {! insider.prices.print_digital !}* Best Value

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivery each weekday to your inbox

    The MIT Technology Review App

  • All Access Digital {! insider.prices.digital !}*

    {! insider.display.menuOptionsLabel !}

    The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    Digital magazine (6 bi-monthly issues)

    Access to entire PDF magazine archive dating back to 1899

    The Download: newsletter delivery each weekday to your inbox

  • Print Subscription {! insider.prices.print_only !}*

    {! insider.display.menuOptionsLabel !}

    Six print issues per year plus The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Print magazine (6 bi-monthly issues)

    The Download: newsletter delivery each weekday to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.