Alexa, play “Mission Impossible Theme”

Always-on smart speakers, like Amazon Alexa or Google Nest, may be rendering us vulnerable to yet another form of cyber attack. A new study conducted by scientists at Cambridge University has found that a compromised speaker can not only hear what you’re saying, but can also make inferential guesses about what you’re typing by listening to the tapping of your thumbs. 

“Voice assistants are now ubiquitous and listen in on our everyday lives. Ever since they became commercially available, privacy advocates worried that the data they collect can be abused: might private conversations be extracted by third parties?” write Almos Zarandy, Ilia Shumailov, Ross Anderson, the co-authors of the study.  

Using two different smartphones and a tablet, the researchers were able to demonstrate that it is possible to use a smart speaker to analyse the sound of typing in order to extract PIN codes and text messages typed up to half a metre away. 

The implications are somewhat grim in a world where 21.3mn new smart speakers were installed in homes throughout the US in 2019 alone. 

According to the researchers from Cambridge, the results of the study show “that remote keyboard-inference attacks are not limited to physical keyboards but extend to virtual keyboards too. As our homes become full of always-on microphones, we need to work through the implications.” 

Keystroke logging

Analysing the motion and sounds produced when people interact with their devices isn’t a new form of cyber crime. Keystroke logging was originally an espionage tool developed by the USSR during the Cold War. 

In the mid-1970s, Soviet intelligence began using something they called the “selectric bug”, which covertly measured the movements of the print head of IBM Selectric typewriters via subtle influences on the regional magnetic field caused by the rotation and movements of the print head in order to determine what was being types. The Soviet Union used the devices to great effect throughout the decade to monitor goings on inside the US Embassy in Moscow. The devices were so effective it seems, that as of 2013, Russian intelligence agencies still use manual typewriters.

Today, the technology used to measure external factors in order to obtain people’s sensitive information has grown infinitely more sophisticated. 

Inference Hacking

2020 will go down in history as the year of the Zoom call. Lockdowns and the subsequent shift to remote work around the world has increased the amount of video conferencing traffic dramatically. 

Another study released recently - this time by researchers at the University of Texas and the University of Oklahoma - found a way to record what people were typing by tracking the movements of their shoulders and upper arms. The study found that its attack framework was capable of capturing what people type with as much as 93% accuracy. 

“Our relatively high keystroke inference accuracies under commonly occurring and realistic settings highlight the need for awareness and countermeasures against such attacks,” wrote the report co-authors, Mohd Sabra, Anindya Maiti, Murtuza Jadliwala.

Another Attack Vector

As our homes and cities become smarter and more connected, we find ourselves increasingly surrounded by microphones. More and more, it seems that these listening devices are a key vulnerability in the modern home and enterprise, particularly as those lines continue to be blurred by large numbers of people working from home. 

Ross Anderson - one of the co-authors of the report on smart speaker snooping - wrote in a recent article that, “Seven years ago we showed that you could use a phone camera to measure the phone’s motion while typing and use that to recover PINs. Four years ago we showed that you could use interrupt timing to recover text entered using gesture typing. Last year we showed how a gaming app can steal your banking PIN by listening to the vibration of the screen as your finger taps it. In that attack we used the on-phone microphones, as they are conveniently located next to the screen and can hear the reverberations of the screen glass.” 

Much like smartphones, smart speakers have become yet another attack vector for cyber criminals to exploit. However, the key issue here is that, while smartphones are typically equipped with their own security features, the vast majority of IoT sensors on the market are inadequately defended. 

A recent article by Jose Ruiz, VP of operations at Compass Data Centers, published on Cisco’s blog, notes that there is “a good deal of disquiet surrounding IoT device security,” adding that “the global IoT device supply chain needs greater vigilance regarding quality control. In the absence of proper regulation and IoT standards, IoT device hacks have become a dangerous reality.”