Is My Alexa, Siri or Google Smart Speaker Hacked?

The smart device in your home can be taken over remotely by a laser beam shone on it by hackers. Your “smart device” then becomes a dumb slave following the Hacker’s – not your – every command whether it’s to unlock your front door, open your garage, adjust your thermostat or do anything else these devices can do.

Turning Smart Speakers into a Hacker’s Slave

We’ve discussed in the past the ability of lasers to be turned into the most amazing hacking tools. Targeting the infra-red ports of computers, they have been used to remotely send instructions. Targeting office windows, they have been used to eavesdrop on conversations. But this is the first time MyProfyle has seen lasers used to send commands including audio instructions directly to smart speakers and command them to do anything the hacker desires which the smart speaker could normally do.

Ever since these smart speakers by companies like Amazon, Google and Apple showed up on the market, consumers knew they were making a sort of deal with the devil. The smart speaker, like your smart phone, is capable of many wonderful things. It can send instructions to an increasingly wired home, get information from the Internet, send out messages, place orders for food and more. The possibilities are literally endless. But consumers soon understood that in order to work, these devices were constantly on, listening for our instructions and processing our speech to determine if there’s something we want. Hackers have now demonstrated that they can hijack these smart devices remotely using a laser to issue instructions that you can put your privacy and safety at risk.

Criminals Unlock your Garage Door From Outside or Worse

When we think about someone breaking into our homes, we often imagine the physical attack – a lock picked, a door smashed-in, a window broken. But what if the criminal could simply tell your Alexa or other smart speaker to unlock the front door or open the garage door by pointing a laser at your smart speaker and sending audio instructions to it from outside your home?

A new video posted online shows this exact exploit being done to a common Google smart speaker but understand that this is just the tip of the iceberg. Any smart speaker or Internet of Things (IoT)-enabled appliance that takes audio commands could be hijacked in the exact same way. The device could then be instructed to order a pizza or possibly turn the oven on or call 911. It all depends one what your device can do.

If all this weren’t bad enough, the laser doesn’t make a sound so you can’t hear your smart speaker being hijacked unless it makes a noise. The laser energy is converted to an electrical signal the same way the audio waves from your voice are. To the smart speaker, a signal is a signal, whether it comes in the form of audio waves or a beam of light. Researchers were even able to disable the audible response the smart device would normally make by issuing an initial silent command by laser to turn the volume down to zero or activate Amazon’s “whisper mode” to respond in a hushed tone.

Watch It Happen: If You Can Say It, The Bad Guys Can Too

A group of researchers from two Universities in Tokyo and Michigan collaborated to demonstrate the power of this “photoacoustic quirk”. Their video which you can see here shows them issuing silent instructions to a smart speaker. The device immediately responds and follows the command as surely as if it came from your voice from inside the home.

No Audible Sound

MyProfyle’s recommendation with all online requests for money is first and foremost not to comply. If you think the criminal truly does have compromising information – perhaps gathered by hacking a device – or they have proven its existence to you, you may wish to contact the FBI. Extortion is a serious crime and they may be able to help identify the criminals when they try to collect their ill-gotten bounty. The most important thing to remember is not to simply pay any money to these types of extortionists. If you pay, you will certainly be a victim for a long time to come or you will find out the hard way that they never had anything to begin with.

In a fascinating deep dive article, Wired magazine quotes the scientists who demonstrate that even a cheap laser pointer was able to hijack these devices but those same scientists confess to not fully understanding why these smart devices interpret light as audio – they just know it works. They have published a research papers which Google says they are going to study closely.

What You Must Do: Keep Them Out of Sight

Each of us will have to continue to make the decision for ourselves whether the convenience and power of IoT devices is worth the very obvious security tradeoffs of having  a device in our home that is integrated into the rest of our smart home, will follow the instructions of anyone and is constantly eavesdropping on us. For some devices in the near future, the power to make that choice may be removed. There may be no way to make these devices deaf and dumb.

The researchers found one silver lining in the fact that smart devices that required authentication prior to making purchases or accepting commands such as Apple devices that require fingerprint or facial recognition or devices that recognized their owner’s voice before accepting commands provided an important layer of security. So one takeaway is to not buy the cheapest device or disable those devices that do not have some form of authentication built-in.

One important piece of advice we think everyone should follow is to keep these devices out of sight so that they cannot be compromised by laser beams send from outside our home. Because they are designed to work with audio, there’s no need for them to be in our line of sight. They can be on a high or low shelf, placed behind a think screen or otherwise shielded from view. Essentially, if the bad guys cannot see them, they probably cannot target them.  Another important consideration is to restrict the capabilities of those devices. Do you need to expose your thermostat or Alexa? Does Google Home need to be able to make purchases for you? Or do you just need to ask questions and play music? Remember, if you can do it, they can do it.

Finally, we recommend signing up with MyProfyle’s Free For Life Identity Protection™ service because it remains the best way to find out if your information has been exposed whether it’s because of one of these hacks or something else like a data breach.

Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to your inbox

Try it. Unsubscribe anytime.