Smart home assistants at risk from “NUIT” ultrasound attack

A new form of attack named “Near Ultrasound Inaudible Trojan” (NUIT) has been unveiled by researchers from the University of Texas. NUIT is designed to attack voice assistants with malicious commands remotely via the internet.

Impacted assistants include Siri, Alexa, Cortana, and Google Assistant.

This attack relies on abusing the high sensitivity of microphones found in these IoT devices. They’re able to pick up what is described as the “near-ultrasound” frequency range (16kHz – 20kHz), and this is where NUIT lurks.

A NUIT sound clip can be played on the targeted device’s speaker which allows for the voice assistant to be attacked on the device itself, or even another device altogether.

There are 2 different ways to launch this attack. One is where NUIT is happening on the targeted device itself. This could be, for example, a rogue app or an audio file. Below you can see a video where the NUIT attack results in an unlocked door.

The second form of attack is where the first device containing a speaker is used to communicate with a second device containing a microphone. This is the daisy-chain style approach, where all of the cool technology in all of your devices slowly comes back to haunt you. As researchers note, a smart TV contains a speaker and a quick blast of YouTube could be all that’s needed. Even unmuting a device during a Zoom call could be enough to send the attack signal to your phone sitting next to the computer as the meeting is taking place.

In terms of being successful via NUIT attack, social engineering plays a large part. Bogus websites, apps, and audio could all be entry points for voice assistant shenanigans.

Once access to a device is gained, an attacker lowers the device’s volume. This is so the device owner is unable to hear the assistant responding to commands being sent its way. Meanwhile, the speaker needs to be above a specific noise level so the attack can actually take place. As long as all of this takes place, the bogus command length has to be below 77 milliseconds or it won’t work.

In terms of current impact, researchers say that Siri devices “need to steal the user’s voice”. Meanwhile, the other 16 devices tested can be activated through use of a robot voice or indeed any other voice at all for that matter.

The NUIT attack is listed as being due to appear at the upcoming USENIX Security Symposium in August, which will give a complete overview of how this works. For now, the advice for possible defences against this new form of attack listed by the researchers include the following:

  • Use earphones. If the microphone can’t receive malicious commands, then the compromise can’t take place.
  • Awareness is key. Be careful around links, apps, and microphone permissions.
  • Make use of voice authentication. If you’re on an Apple device, now is the time to fire that up.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.