
Laser-Based Audio Injection Attacks on Voice-Controllable Systems [pdf] - SirLJ
https://lightcommands.com/20191104-Light-Commands.pdf
======
inetknght
Discussion yesterday:
[https://news.ycombinator.com/item?id=21444928](https://news.ycombinator.com/item?id=21444928)

------
sp332
This is a cool attack, but I'm not sure where you got "$14" from. The laser
pointers were $18 for a pack of 3, but you need a separate laser driver like
the $300 one the authors used, and probably an audio amplifier as well.

There are some videos of the attack at
[https://lightcommands.com/](https://lightcommands.com/)

~~~
ron0c
Exactly. Title says "$14" and then show this as the setup:
[https://i.imgur.com/SYUSIDs.png](https://i.imgur.com/SYUSIDs.png)

~~~
phailhaus
"Google Assistant can be hijacked by a $2 pack of screws!"

------
smolsky
For the ones too lazy to RTFA:

VIII. CONCLUSIONS AND FUTURE WORK

In this paper we presented LightCommands , which is an attack that uses light
to inject commands into voice-controllable systems from large distances. To
mount the attack, an attacker transmits light modulated with an audio signal,
which is converted back to the original audio signal within a microphone. We
demonstrated LightCommands on many commercially available voice-controllable
systems that use Siri, Portal, Google Assistant, and Alexa, obtaining
successful command injections at a maximum distance of more than 100 meters
while penetrating clear glass windows. Next, we highlight deficiencies in the
security of voice-controllable systems, which leads to additional compromises
of third-party hardware such as locks and cars. Better understanding of the
physics behind the attack will benefit both new attacks and countermeasures.
In particular, we can possibly use the same principle to mount other acoustic
injection attacks (e.g., on motion sensors) using light. In addition, heating
by laser can also be an effective way of injecting false signals to sensors.

------
w-m
I really liked their take on the countermeasures: "It is possible to reduce
the amount of light reaching the microphone’s diaphragm using a barrier that
physically blocks straight light beams [...] However, we note that such
physical barriers are only effective to a certain point, as an attacker can
always increase the laser power in an attempt to compensate for the cover-
induced attenuation. Finally, in case such compensation is not possible, the
attacker can always use the laser to burn through barriers, creating his own
light path."

Sure, you can try to defend by putting a lid on the microphone. But we already
have a laser here, we'll just burn through that.

~~~
brianberns
If someone is willing to blast your possessions to bits using a laser, I think
the security of your smart devices is probably the least of your immediate
concerns.

~~~
Majromax
I don't see how that follows? A thief might be willing to break a conventional
door lock if it gains them access to high-value, fenceable possessions.

In this hypothetical, the hostile actor isn't interested in the smart speaker
itself, they're interested in what the smart speaker can do.

~~~
brianberns
My point is that if someone is directing a powerful laser into your home, you
are in imminent mortal danger, which is worse than whatever the smart speaker
can do.

------
tomatotomato37
Why is everyone more concerned over the ability of someone with too much time
and laser modulation equipment telling their smart speaker to order 10 crates
of hand sanitizer than the physics & possible new applications of influencing
microphones via laser light?

~~~
rubberfish613
They also point out they can use this to bypass security and open "smart-
locks".. this is slightly more concerning than just buying hand sanitizer.. I
wouldn't be caught dead with one of these smart-lock devices, but I have
friends who aren't so cautious.

~~~
ptasci67
I have owned several smart locks and every single one has required a secret
passcode to actually unlock via a smart assistant. Working backwards, the real
threat if they didn't do that is just someone shouting through the window.

~~~
residentraspber
I forget if it was this article or not but someone mentioned that a few of the
smart locks that _do_ have secret codes don't rate limit them, so, in theory,
they could brute force a pin code or password.

I guess the idea is that they think nobody is going to sit there and shout pin
codes until it unlocks?

------
bjt2n3904
One thought is that the radiation is causing the MEMS sensor to physically
vibrate. Part of me wonders how much of this is similar to the way the
Raspberry Pi would glitch out when hit with a camera flash.

[1] - [https://www.raspberrypi.org/blog/xenon-death-flash-a-free-
ph...](https://www.raspberrypi.org/blog/xenon-death-flash-a-free-physics-
lesson/)

[2] -
[https://www.youtube.com/watch?v=SrDfRCi1UV0](https://www.youtube.com/watch?v=SrDfRCi1UV0)

~~~
dvdvdjdvd
Not very similar.

The flash going off gives off strong EMF that induces currents in conductors
at relatively low frequency.

The photo-acoustic effect is usually a thermal effect. Material gets rapidly
hot from the laser and cools quickly when the laser is turned off.

------
wooptoo
According to their website the Google Home mini, the one with the cloth mesh
top, is surprisingly one of the most resilient to this type of attack, being
limited to about 20m in ideal conditions(1).

It's also one of the cheapest voice controlled home assistant devices, being
given away by Spotify, Google and others on special promotions.

(1) [https://lightcommands.com/](https://lightcommands.com/)

------
dantle
I'm a bit surprised that this works. It appears that this attack targets a
single microphone. However, internal to most of these home assistant devices
(e.g. Echo or HomePod) there is an array of microphones. A real sound from a
spoken word would probably show up on more than one microphone (with an
appropriate time and phase offset), although it seems to not be currently
required. It seems like it would be complex or impossible for an attacker to
target more than one microphone with this attack.

~~~
MauranKilom
This is covered in the paper. They acknowledge this defense technique while
also pointing out that a laser flashlight could be used to illuminate all
microphones at once.

~~~
dantle
Perhaps the "all at once" attack could work against today's hardware. This is
because the mics (in devices I know of) are co-planar and the user may be
speaking to Alexa (or whoever) from directly above or below the device. In
this configuration, it is valid for all mics to be receiving the same audio
signal simultaneously.

But in some future rev, one could imagine that if the mics in the array are
non-coplanar (e.g. at least 4 mics) and sufficiently far from each other, then
there is no possible way for the audio signal to reach them at once (unless it
is actually light being measured).

~~~
MauranKilom
You could add timing difference to individual lasers as necessary. It's not
really more complicated than duplicating the laser setups and feeding them the
same signal with time delays. Not a huge step.

However, non-coplanar mics would work for the opposite reason: If they are on
different sides of the device, you couldn't reach all of them from the same
distant location. So unless all mics receive (more or less) similar sound
signals, you could discard it as manipulation.

------
gruez
Can someone explain the mechanism that causes light to translate to electrical
signals in the microphone? Is the heat generated moving the diaphragm? Is the
microphone photosensitive?

~~~
Scaevolus
It's radiation pressure from the pulsed beam of light moving the tiny
microphone.

MEMS microphones are tiny capacitors that are vibrated by sounds. In section
IV.C of the paper, they test whether the effect is mechanical or
photoelectric, and determine that it's acting via mechanical vibrations, since
the effect is stopped by gluing the microphone down with a transparent bit of
glue.

Think of it as a tiny solar sail-- they're hitting a very small piece of metal
with a lot of photons, so even minor deflections are translated effectively.

"The diaphragm is a thin membrane that flexes in response to an acoustic wave.
The diaphragm and a fixed back plate work as a parallel-plate capacitor, whose
capacitance changes as a consequence of the diaphragm’s mechanical
deformations as it responds to alternating sound pressures. Finally, the ASIC
die converts the capacitive change to a voltage signal on the output of the
microphone."

"As can be seen, the modification decreases the amplitude of the signal
detected by the microphone, and the signal after the glue application is less
than 10% of the original signal. We thus attribute our light-based signal
injection results to mechanical movements of the microphone’s diaphragm, which
are in turn translated to output voltage by the microphone’s internal
circuitry."

------
blhack
Man this is such a great hack. This reminds me of the old TEMPEST attacks
against CRT monitors from the 90s.

Cool stuff!

------
zbs7
They made a simplified video explanation here:
[http://youtu.be/ORji7Tz5GiI](http://youtu.be/ORji7Tz5GiI)

------
zenlibs
While the attack is technically feasible, complexity and sophistication do not
lend this to wide deployment. Someone with a lot of time, money and drive
(think heist movie, or spy agency) to hack a person of interest _might_ find
this attack viable, assuming they find a line of sight to the mic. But if
one's dealing with determined hackers, there is likely a multitude of other
lower hanging fruit to first pick off.

~~~
darzu
Hacks always start as "infeasible". But eventually the technique is refined
and there's a kit for $20 that can let anyone do it by following simple
instructions.

------
fpgaminer
I don't know if the authors mention it, but it seems like you could combine
this with the vishing attack
([https://news.ycombinator.com/item?id=21306612](https://news.ycombinator.com/item?id=21306612))
by using silent light commands to get a malicious app installed.

Fun stuff...

------
jimrandomh
Title is editorialized, and in a way that adds incorrect information (the
supposed $14 price tag). Mods, the title for this should be "Light Commands:
Laser-Based Audio Injection Attacks on Voice-Controllable Systems".

------
aazaa
> ... We thus attribute our light-based signal injection results to mechanical
> movements of the microphone’s diaphragm, which are in turn translated to
> output voltage by the microphone’s internal circuitry.

Aside from the security aspect, this is a pretty cool example of applied
physics.

The paper doesn't appear to report anything else on this effect, but AFAICT,
it's new. The Wired story described two hypotheses, one of which involved the
laster heating the air immediately above the microphone, simulating a sound
wave as the light amplitude is modulated.

~~~
dvdvdjdvd
Naw, the photo acoustic effect is a 150 years old

------
gpm
Why did they need to focus the laser through a telephoto lens? I thought the
whole point of lasers was that they were already focused into a beam that is
moving in nearly exactly one direction?

~~~
oceliker
Lasers are collimated [0], not focused. They might be focusing it to maximize
light intensity at the required spot.

[0]
[https://en.wikipedia.org/wiki/Collimated_beam](https://en.wikipedia.org/wiki/Collimated_beam)

------
dwoozle
I forget where I read about a very early and simple attack on Amazon Alexas.
Some people knew that their neighbors were going on a long vacation. So they
just shouted into their house orders for the Alexa through the front door.
They ordered tons of expensive shit on Amazon which was delivered to the front
door and then ran off with the packages. The family didn’t get the order
confirmation emails from Amazon since they were on a remote trip with no
Internet access.

------
BicepGlue
This attack method should be dubbed the "Mysteron Attack".
[https://www.youtube.com/watch?v=Vs13rCqfH9k](https://www.youtube.com/watch?v=Vs13rCqfH9k)
[https://en.wikipedia.org/wiki/Captain_Scarlet_and_the_Myster...](https://en.wikipedia.org/wiki/Captain_Scarlet_and_the_Mysterons)

------
frankus
I'm curious if you can use the same effect with human/animal eardrums.

------
nsxwolf
I suppose the next generation of MEMS microphones can contain photodiodes to
mitigate this attack.

------
adamch
This is cool research, but I hope people aren't viewing this as a real-world
worry. By the time someone is breaking into my house to set up hundreds of
dollars worth of laser equipment, I probably have bigger problems.

~~~
blakes
If you'd actually read the paper, you can see that they were able to inject
commands through double pane glass from 75 meters away.

~~~
adamch
I know, but I have a fence around my house. Once someone is setting up
equipment around my house, why not just smash a window and steal my stuff
directly?

------
kinnth
Blew my mind!

I always felt all these assistants we're super creepy any way and I get a lot
of things hooked up in my smart home but want to control everything via my
phone, which I trust.

------
gok
The authors seem to a little confused by the purpose of voice identification
in these systems. They repeatedly call it "Voice Authentication", which is it
not.

------
exabrial
I don't understand why anyone wants these listening devices in their home

~~~
ryandvm
Do you really not understand or are you just not accepting the same answers
everyone gives every time this question comes up?

They're terribly useful for listening to music, setting timers, alarms,
reminders, checking weather, traffic, unit conversions, and just general web
lookups.

I suspect what you meant was, "why do people trade their privacy for
convenience?" Which of course is ALWAYS the trade-off one makes when it comes
to security.

I personally have decided (for now) that the convenience of the devices
outweighs the _likely_ harm they will have on me. Would I have one if I were
running for political office? Absolutely not.

~~~
satokema_work
It's weird that I manage to do that entire list of things without saying a
word aloud.

It's luxury tech. That's where the market is.

~~~
dwild
> It's weird that I manage to do that entire list of things without saying a
> word aloud.

That's a incredibly broad statement... anything you do can be done in another
way which someone could define as luxury. I can churn butter, but I like the
luxury to buy it instead, I expect you are the same ;).

