Researchers Demonstrate Smartphone Hacking Method Using Ultrasonic Waves

With the rise of virtual assistants like Apple Siri and Google Assistant, users can now control their mobile devices using voice commands. However, a joint team of researchers from Washington University in St. Louis, the University of Michigan, and the Chinese Academy of Sciences has demonstrated that this functionality can also be exploited for malicious purposes. For example, attackers could make fraudulent calls from a victim’s phone, intercept SMS messages containing verification codes, or interact with the voice assistant without the user’s knowledge.

The method developed by the researchers, called SurfingAttack, uses ultrasonic waves that travel through solid surfaces to target voice control systems. According to the experts, SurfingAttack modulates a voice command into an inaudible frequency range and transmits attack signals using a standard piezoelectric transducer (which converts electrical signals into ultrasonic waves) through various types of solid tables.

The researchers conducted a series of experiments in which several phones were placed on a table. A microphone and a piezoelectric transducer (PZT) were attached to the underside of the table, while a wave generator was used on the other side to fine-tune the signals. Using the SurfingAttack method, they were able to send commands to the voice assistant, extract SMS codes, and make fraudulent calls.

The team tested 17 different smartphone models, including Google Pixel, Moto G5 and Z4, Samsung Galaxy (S7, S9), Xiaomi (Mi5, 8, Mi 8 Lite), Huawei (Honor View 10, Mate 9), and Apple iPhone (5, 5c, 6 Plus, X). All of these devices were found to be vulnerable to the SurfingAttack, and the presence of a phone case did not affect the outcome.

Previously, researchers from the University of Chicago invented an interesting bracelet that uses ultrasound to jam nearby microphones, including those in smart speakers and voice assistants.