(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
Amazon’s Alexa and Google’s Home pod may hear and record what people are typing into nearby devices, despite background noise, according to a team of researchers from the University of Cambridge.
The team showed that PIN codes and text messages from recordings collected by a voice assistant located up to half a metre away can be extracted by cybercriminals.
Researchers constructed an attack to see if it is possible to identify PINs and text typed into a smartphone.
“Given just 10 guesses, 5-digit PINs can be found up to 15 % of the time, and text can be reconstructed with 50% accuracy,” they noted in a paper titled, “Hey Alexa What Did I Just Type?”
Last year, these researchers showed how a gaming app can steal banking PIN by listening to the vibration of the screen while a user’s finger taps it.
One of the researchers from the group, Ross Anderson, wrote in a blog post that they wondered whether voice assistants can hear the same taps on a nearby phone as the on-phone microphones could.
“We knew that voice assistants could do acoustic snooping on nearby physical keyboards, but everyone had assumed that virtual keyboards were so quiet as to be invulnerable,” Anderson said.
But, on the contrary, researchers found that modern voice assistants can do directional localisation, just as human ears do, but with greater sensitivity.
For instance, Alexa has seven microphones on its top plane, one in the centre and six in a circle on the perimeter, to determine the direction of a sound source.
As physical keyboards emit sound on key presses, recording of these keystrokes can be used to reconstruct the text typed on a keyboard, researchers said. Following which, acoustic side channels can be exploited with virtual keyboards like phone touchscreens, which, despite not having moving parts still generate sound.
Researchers based attack on the fact that microphones located close to the screen can hear screen vibrations and use them successfully to reconstruct the tap location.
They show that attacks on virtual keyboards do not necessarily need to assume access to the device, and can actually be performed with external microphones. For instance, how key taps performed on a smartphone can be reconstructed by nearby smart speakers.
The method can be used to steal PINs and passwords and marks the discovery of another technique that can be used can be used to steal personal data from digital assistants.
Last year, researchers discovered how attackers can use light to manipulate the microphones of digital assistants like the Amazon Echo to turn it into sound, launching attack on the device and others connected to it.
