New Study Exposes Vulnerability in Smart Home Assistants

Almost twenty percent of United states households already use voice activated home assistants and smart speakers such as Google Home, Apple’s Siri, and Amazon’s Alexa. A recent research study by the group “Light Commands” discovered a way to remotely input commands to all of these devices with a laser. 

Smarthomes an increasing trend

An online survey from January 2018 found that 47 million, or 19.7% of U.S. adults use smart speakers. Amazon’s Echo and Echo Dot were the most popular, with 71.9% of the market share. Google Home and Home mini devices make up 18% of smart speakers. Less than ten percent of devices come from other companies. 

Aside from the menial tasks of controlling lights and music, users also trust devices such as these to operate their homes’ locks, visit websites, and remotely start vehicles.

Laser Hackability 

To hack the device, the researchers used lasers to send inaudible commands to its microphone. The device processed the signal as a voice command, which it then carried out. Most commands do not require additional identity confirmation such as a PIN or password, allowing the laser pointer a direct line to the device and the objects connected to it. 

Access is gained through the microphones themselves. Components called micro-electro-mechanical systems actually respond to light signals as if they were sound. These MEMS components are installed in every major commercial smart speaker on the market today.

Vulnerability

Using a laser requires a direct line of sight, and is also limited by the laser’s range. Telephoto lenses were used to focus the laser’s signal, giving it a range of up to 110 metres. Further distances were likely possible but remain untested. The necessary hardware includes a cheap laser with computer connectivity, a $300 driver to modify the laser signal, and a $30 audio amplifier. Invisible, infrared lasers also successfully breached the devices. 

To hit home the significance of this vulnerability, the researchers sent the command “Open the garage door” to the test devices. The door, 110 metres away, quickly obliged.