If you’re minding your own business in Paris, listening to your headphones, and all of a sudden Rick Astley starts playing, that’s because the French information security organisation ANSSI has figured out how to hack your device through its headphone mic.
That’s right: By transmitting a very specific signal picked up by your headphones, hackers could theoretically gain control of your phone through either the OK Google or Hey Siri commands. It needs to be a set of headphones with a mic for it to work, after which the attacker could do any number of things with your phone, be that humorous, malicious, or the troll-worthy grey area in between.
According to Wired, the technique could be performed as far as 5 metres away.
Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone. Without speaking a word, a hacker could use that radio attack to tell Siri or Google Now to make calls and send texts, dial the hacker’s number to turn the phone into an eavesdropping device, send the phone’s browser to a malware site, or send spam and phishing messages via email, Facebook, or Twitter.
Apparently everything you could do with the voice interface can be done using this attack. It’s not limited to just one phone at a time, either. While many phones don’t have voice commands enabled while locked, a setup that fits inside a backpack would allow an attacker to transmit in a very public place with lots of vulnerable phones. The researchers put forward a scenario in which several phones dial a number set up to generate cash from each call, akin to a fortune telling hotline. I’m sure there are many other creative scenarios one could come up with.
While you have to pay to see the actual paper, Wired does a good job of going through the possibilities and restrictions. Check it out here.
Image via Shutterstock