Researchers hack Google Home, Echo and HomePod using a remote laser
Updated: Nov 27, 2019
Smart speakers are devices with a growing presence in homes around the world. They answer questions and follow orders such as "what will the weather be like tomorrow" or "turn off the lights in the room", the latter provided that there are appliances with a wireless connection.
Three of the world's largest companies, Apple, Google, and Amazon, have a smart speaker in their product catalog. Each of them has its own artificial intelligence, Alexa being Amazon's, Google Assistant's Google's, and Siri's Apple's.
These devices are not without controversy. Being connected to the Internet, there is a question of whether they are as reliable as the manufacturers announce. Some of them, such as Siri or Alexa, have a team to evaluate the quality of responses and requests, although they now offer the possibility of not participating in the improvement program.
After discovering that some Amazon Echo and Google Home applications cause these speakers to constantly spy on you, a group of researchers has managed to manipulate them in a most curious way: with a laser pointer.
A hack that allows you to induce commands of all kinds
The guys from ArsTechnica comment that it is possible to hack smart speakers Google Home, Amazon Echo and Apple HomePod using a laser pointer. With this technique, they can inject inaudible or even sometimes invisible commands that allow opening doors or entering websites.
Apparently, aiming with a low-intensity laser at one of these systems opens the ban on entering commands from up to 110 meters away. Also, since most of these systems do not need authentication, attacks do not require a password or PIN code. Even if it were, the code could be discovered by "brute force" as there are no limits of attempts.
In the case of Apple HomePod, personal requests are activated by default. This function allows you to send messages, make calls or create reminders when our iPhone is close, authenticated and connected to the Wi-Fi network. In addition, authentication is also enabled by default for secure requests such as reading notes, reminders or calendar events.
Although one of these smart speakers could be manipulated with a long-distance laser, for example, from another building, or even a telephoto lens can be used to go even further, the device must be visible, that is, near a window.
A vulnerability of MEMS microphones
It is possible to hack smart speakers due to the vulnerability of microphones that use MEMS technology (microelectromechanical systems). These components respond to light as if it were a sound. Although this method has only been tested with Siri, Alexa, Google Assistant, Facebook Portal and a small number of tablets and smartphones, it is believed to affect all microphones with this technology.
But not only is it enough that the device in question is visible but also, in most cases, the laser has to be aimed at a specific part. On the other hand, attendees usually respond with visual or audible signals when they detect an activation command (Hey Siri, Alexa, Ok, Google), so the user, if close, is notified.