
Google Voice Search Attack on Android [pdf] - borski
http://arxiv.org/pdf/1407.4923.pdf
======
diminoten
You'd have to be pretty quick to get information out of the phone before the
user catches on, especially if you've just asked the user to watch a video.

I just don't see this as an effective means of controlling a phone, when your
primary means of "infection" involve user action.

The paper even acknowledges this, though almost dismissively: "One potential
limitation of GVS-Attack is that the victim may notice the voice command
played by VoicEmployer and interrupt it."

That's like, the whole reason this attack isn't very useful except in specific
situations. No one's going to be running their botnet via GVS-Attack, that's
for sure.

~~~
iguana
It could be used as part of the process, for example to access a URL with an
android exploit on it that the user would not normally visit. It could also
detect periods of inactivity, or high background noise. This is a real attack
vector not worth dismissing.

~~~
diminoten
No doubt, I just think the fact that the user is going to interfere with any
direct exfiltration ruins this as a stand-alone attack.

Your idea, however, is exactly the "missing piece" to this attack.

------
ShaneWilton
The same thing happened about a month ago with an Xbox One commercial that
would turn on people's consoles: [http://www.businessinsider.com/xbox-one-ad-
turning-on-people...](http://www.businessinsider.com/xbox-one-ad-turning-on-
peoples-xbox-2014-6)

~~~
codeka
There was another one where a guy with the name "XBox Shut Off" would run
around griefing players in Call of Duty and when they yell at him to stop,
accidentally initiate the "off" command.

[https://www.youtube.com/watch?v=hGZeU4s28kk](https://www.youtube.com/watch?v=hGZeU4s28kk)

~~~
Zircom
Reminds me of the way some friends and I came up with a way to trick people
into logging out in WoW. There's the /logout command, which initiates the
logging out sequence. However, there's also the /camp command, which does the
same thing, but a fair amount of people don't know about it. Now, logging out
normally takes 20 seconds, but if you're in one of the capitals, it's instant.
So we would say in trade chat(a chat channel that's only visible to people in
a capital) about how /camp sets down a campfire, unwitting players would try
it out, and find themselves back on the character select screen. Just a bit of
harmless fun, but you would not believe how upset people would get.

~~~
Relys
Back on the quake 3 engine I used to convince users that typing /disco would
spawn a giant disco ball complete with lights and music. /disco is the same as
/disconnect. Good times. :)

------
MattHeard
This is only tangentially related to the topic, but I noticed the following
note on the first page:

> Permission to make digital or hard copies of all or part of this work for
> personal or classroom use is granted without fee provided that copies are
> not made or distributed for profit or commercial advantage and that copies
> bear this notice and the full citation on the first page. To copy otherwise,
> to republish, to post on servers or to redistribute to lists, requires prior
> specific permission and/or a fee.

Is sharing to HN considered in the same vein as redistributing to a list?

~~~
thesimon
Because HN is just linking to the file and the file is not uploaded on this
site (in contrast to like attaching it to an email to redistribute), probably
not.

------
typpo
Can anyone reproduce this? I am trying to command my phone via Chrome's web
speech API but it doesn't pick up "OK Google."

[http://www.ianww.com/voice_assistant_abuse.html](http://www.ianww.com/voice_assistant_abuse.html)

Seems like this attack could be trivially prevented by disabling speech
recognition while speech synthesis is running. It looks like this may already
be the case for the web speech api (or the synthetic voice is just too
different from mine).

~~~
davvid
_Seems like this attack could be trivially prevented by disabling speech
recognition while speech synthesis is running_

The paper mentions that they save the synthetic voice to .wav files first, and
only later play them back, so this would not help.

------
Buge
I wonder if it can dial 911 or other emergency numbers. If it was installed on
a large number of phones then activated all at once and played one of several
pre-recorded emergency type audio files, that seems like it could put serious
pressure on emergency response teams.

------
NickWarner775
How easy is it for hackers to be able to take control of your phones camera or
speakers?

------
anilshanbhag
the attack is interesting, however what I am surprised is they have written 12
page paper on it ! the entire content of the paper can be rewritten to well
within 4 pages

~~~
b6
Isn't that around the normal compression ratio you find with academic papers?
I almost always find them extremely verbose.

~~~
verbatim
Yes, this looks normal for a research/academic paper. It isn't a news article.
The details are important.

------
gcb0
Voice commands with via sound. news at 11.

