
Laser-Based Audio Injection on Voice-Controllable Systems - close04
https://lightcommands.com/
======
OldGuyInTheClub
I think the photoacoustic effect is at play here. Discovered by Alexander
Graham Bell has a variety of applications. It can be used to detect trace
gases in gas mixtures at the parts-per-trillion level among other things. An
optical beam chopped at an audio frequency goes through a gas cell. If it is
absorbed, there's a pressure wave at the chopping frequency proportional to
the absorption. If not, there isn't. Synchronous detection (e.g. lock in
amplifiers) knock out any signal not at the chopping frequency. You can see
even tiny signals when there is no background. Hearing aid microphones make
excellent and inexpensive detectors so I think that the mics in modern phones
would be comparable.

Contrast this with standard methods where one passes a light beam through a
cell into a detector, looking for a small change in a large signal.

[https://chem.libretexts.org/Bookshelves/Physical_and_Theoret...](https://chem.libretexts.org/Bookshelves/Physical_and_Theoretical_Chemistry_Textbook_Maps/Supplemental_Modules_\(Physical_and_Theoretical_Chemistry\)/Spectroscopy/Photoacoustic_Spectroscopy)

Hats off to the Michigan team for this very clever (and unnerving)
demonstration.

------
sorenjan
I don't understand how laser light, even from a small 5 mW laser pointer, can
get the membrane to move. My first thought was that it wasn't moving and that
the signal was from the photoelectric effect, but they have a section in the
paper testing just that and it turns out it is the membrane moving. I doubt
it's expanding from heat since it's such a low power and it reacts fast enough
to simulate speech, but how does it work?

~~~
deepnotderp
Radiation pressure would be my initial guess, but this is a very weak laser
for that.

~~~
Animats
That puzzles me, too. The thermal effect that drives a radiometer[1] should be
too slow to transmit audio. Radiation pressure transfer from photons is very
weak, but wouldn't have bandwidth problems. The frequency response of this
effect does fall off with frequency, but not very fast; see fig. 6. in the
paper.[2] There's still reasonable output at 3KHz.

Light pressure of sunlight is about 1mg/m^2. Or one nanogram per square
millimeter, a reasonable size for a chip microphone. Will chip microphones
respond to a nanogram of pressure?

[1]
[https://en.wikipedia.org/wiki/Crookes_radiometer](https://en.wikipedia.org/wiki/Crookes_radiometer)
[2] [https://lightcommands.com/20191104-Light-
Commands.pdf](https://lightcommands.com/20191104-Light-Commands.pdf)

------
fortran77
This is amazing. I had no idea the "MEMS" microhones were light sensitive
enough to exploit this. It's not the most far-fetched attack. If a well-funded
government spy sees that there's an alexa in the room, why not tell it to make
a phone call to a throw-away number and listen in?

~~~
rblatz
In that case it’s way less risky to just bounce a laser off the window and
decode the signal coming back to hear what’s being said in the room.

~~~
close04
Control over a voice assistant gives you a lot more than "just" a listening
device in the room. It already has authorization for many actions inside the
network. It's not that there are no other ways to achieve the same but this
seems to be extremely cheap, easily exploitable, and with close to zero
traceability.

------
hjkhlejhwer
> _Light Commands is a vulnerability of MEMS microphones_

I've always wondered how it's possible for smartphones to sound so good given
that the microphone needs to fit in a few millimeters, how do they sound
better than much bigger (cheap) microphones. Apparently the answer is MEMS
microphones.

------
mokus
> Moreover, even if enabled, speaker recognition only verifies that the wake-
> up words (e.g., "Ok Google" or "Alexa") are said in the owner's voice, and
> not the rest of the command.

Holy shit, this might be even more astounding to me than the laser attack
itself.

~~~
psykus
Set up a camera to also watch for the wake light, profit.

~~~
wnkrshm
Point laser microphone at the window to get a recording.

------
jacquesm
Very cool hack, a microphone with
[https://en.wikipedia.org/wiki/Synesthesia](https://en.wikipedia.org/wiki/Synesthesia)
!

------
silentOpen
They explicitly mention that the effect seems unrelated to wavelength of
incident light — would love to see a test with a UV or IR laser source to
demonstrate that the primary downside of the attack is mitigatable (of course
with additional expense and increased safety risk).

------
oakwhiz
Based on this and the iPhone helium problem, it seems like the security and
durability of MEMS devices needs to be examined carefully for their intended
use case.

------
anfilt
My guess is the photoelectric effect if its a MEMS device

