There are some videos of the attack at https://lightcommands.com/
"$300 for the whole thing. (Note: This doesn't include the GPU, motherboard, case, or monitor that I already had prior to building.)"
Submitters: please don't editorialize like that. It breaks the site guidelines: https://news.ycombinator.com/newsguidelines.html
Maybe we should change this submission's title to the PDF's title.
You can probably inject the signal straight from the headphone output of a smartphone into the right pad in the laser pointer with a decoupling resistor and inline capacitor.
...if you don't care about audio quality and longevity of the laser.
VIII. CONCLUSIONS AND FUTURE WORK
In this paper we presented LightCommands
, which is an attack that uses light to inject commands into voice-controllable systems from large distances. To mount the attack, an attacker transmits light modulated with an audio signal, which is converted back to the original audio signal within
a microphone. We demonstrated
LightCommands on many commercially available voice-controllable systems that use Siri, Portal, Google Assistant, and Alexa, obtaining successful
command injections at a maximum distance of more than 100 meters while penetrating clear glass windows. Next, we highlight deficiencies in the security of voice-controllable systems, which leads to additional compromises of third-party
hardware such as locks and cars.
Better understanding of the physics behind the attack will benefit both new attacks and countermeasures. In particular, we can possibly use the same principle to mount other acoustic injection attacks (e.g., on motion sensors) using light. In addition, heating by laser can also be an effective way of injecting false signals to sensors.
Sure, you can try to defend by putting a lid on the microphone. But we already have a laser here, we'll just burn through that.
In this hypothetical, the hostile actor isn't interested in the smart speaker itself, they're interested in what the smart speaker can do.
A microphone is just a reverse speaker. For example, if you plug your earbuds into an audio input port, you can use them as a microphone.
This is all relatively basic, just not obvious to most people.
I guess the idea is that they think nobody is going to sit there and shout pin codes until it unlocks?
 - https://www.raspberrypi.org/blog/xenon-death-flash-a-free-ph...
 - https://www.youtube.com/watch?v=SrDfRCi1UV0
The flash going off gives off strong EMF that induces currents in conductors at relatively low frequency.
The photo-acoustic effect is usually a thermal effect. Material gets rapidly hot from the laser and cools quickly when the laser is turned off.
It's also one of the cheapest voice controlled home assistant devices, being given away by Spotify, Google and others on special promotions.
But in some future rev, one could imagine that if the mics in the array are non-coplanar (e.g. at least 4 mics) and sufficiently far from each other, then there is no possible way for the audio signal to reach them at once (unless it is actually light being measured).
However, non-coplanar mics would work for the opposite reason: If they are on different sides of the device, you couldn't reach all of them from the same distant location. So unless all mics receive (more or less) similar sound signals, you could discard it as manipulation.
MEMS microphones are tiny capacitors that are vibrated by sounds. In section IV.C of the paper, they test whether the effect is mechanical or photoelectric, and determine that it's acting via mechanical vibrations, since the effect is stopped by gluing the microphone down with a transparent bit of glue.
Think of it as a tiny solar sail-- they're hitting a very small piece of metal with a lot of photons, so even minor deflections are translated effectively.
"The diaphragm is a thin membrane that flexes in response to an
acoustic wave. The diaphragm and a fixed back plate work
as a parallel-plate capacitor, whose capacitance changes as a
consequence of the diaphragm’s mechanical deformations as
it responds to alternating sound pressures. Finally, the ASIC
die converts the capacitive change to a voltage signal on the
output of the microphone."
"As can be seen, the modification decreases
the amplitude of the signal detected by the microphone, and
the signal after the glue application is less than 10% of
the original signal. We thus attribute our light-based signal
injection results to mechanical movements of the microphone’s
diaphragm, which are in turn translated to output voltage by
the microphone’s internal circuitry."
Aside from the security aspect, this is a pretty cool example of applied physics.
The paper doesn't appear to report anything else on this effect, but AFAICT, it's new. The Wired story described two hypotheses, one of which involved the laster heating the air immediately above the microphone, simulating a sound wave as the light amplitude is modulated.
Personally I've seen cheap lasers without a good focussing mechanism get house sized at even a few hundred yars, I bought a 1w laser diodes years ago that had no optics to focus it and at a foot it was roughly the size of a dime and absurdly bright and at a few hundred yards the diameter was taller than a door and incredibly dim -we tested it by shining it across a pond at the apartments we were living at one night aiming where there were no windows and immediately turned it off due to the massive size of the dot.
I imagine they were just using what they had on hand to attempt to make a collimating lens/focusing Lens.
If you have a pair of binoculars, go shine a flashlight into them (from both ends) tonight and you'll see that even a cheap optic can drastically change a light source. It's actually a fun little hack for making a searchlight when you're camping, you'll get a considerably brighter spot of light.
I always felt all these assistants we're super creepy any way and I get a lot of things hooked up in my smart home but want to control everything via my phone, which I trust.
They're terribly useful for listening to music, setting timers, alarms, reminders, checking weather, traffic, unit conversions, and just general web lookups.
I suspect what you meant was, "why do people trade their privacy for convenience?" Which of course is ALWAYS the trade-off one makes when it comes to security.
I personally have decided (for now) that the convenience of the devices outweighs the likely harm they will have on me. Would I have one if I were running for political office? Absolutely not.
A smartphone that would be in your hands or pockets anyways.
It's luxury tech. That's where the market is.
That's a incredibly broad statement... anything you do can be done in another way which someone could define as luxury. I can churn butter, but I like the luxury to buy it instead, I expect you are the same ;).
VUI is just another new interface for devices that provides convenience.
In short: it enables people to get even more lazy. No wonder US has an obesity problem.
Every time I pull out my phone there is the temptation to check my email, message friends, etc.
But with my echo dot (or google home mini, I currently have both while I decide which to keep) I can control my lights by voice without missing a beat, I can play music for my kids to dance to without fumbling through an app, I can check the weather forecast while I'm digging through the coat closet, all without being distracted from what I'm doing and without any extra fluff.
I do not have any locks or security systems connected to them as I do not trust them that far, but for informational and recreational use they have made things considerably more convenient.
If you can find a standalone internet radio that's as convenient as an Amazon Echo, please let me know. It's an underserved market.
Maybe once "okay google" works correctly on my phone, I'll start using one of these.
These devices are as literally Big Brother as it gets.
I personally boycott Google products and do not purchase from Amazon. Google has gone from ‘don’t be evil’ to ‘be evil and pretend we’re still cool’.
When it comes down to it, we are all compromised, and it's just a question of what you are comfortable with. Some people choose not to use electricity at home, and yet they go on living. Your choices are your own, and of the billions of people you should take pride in your individuality and be comfortable in your choices.
Stop this. You are putting blame on the end user for failing to understand complex security and privacy issues.
Also, this is an incorrect understanding of network economies and society.
"it doesn't take a genius" to carefully check a car for safety features, like having brakes. Yet there are regulations to protect car buyers.
Without the intervention of regulators we would not have safety belts and airbags.
Same for building safety. Food safety and so on.
The same goes for privacy. In a world where any device in your home has cameras and microphone it becomes impossible for a lone individual to push back.
You need a whole society to do that.
Then, forgive my tone, but it doesn’t take a genius to understand that you don’t want one constantly monitoring you in your home. Where you have private conversations. This is my point.
These devices are physical spyware - they’re as useful and terrible as Bonzi Buddy but people pay for it.
I use TOR, for everything. Even basic browsing. I’ll take the performance hit any day.
I also disable JS on 90% of sites I visit.
I’ve stayed at an iPhone 6S that I could jailbreak to observe outgoing and incoming network information and block IPs where necessary, and redirect to TOR in the background.
I don’t keep Android devices and let all of my friends know about all the serious security risks involved, and beg them to at least get a refurbished iPhone instead.
I have friends in the psychedelic scene who literally text each other openly about LSD like total idiots when Signal is free.
I have friends who have ended up in prison, not even jail, from this kind of shit.
I talk about psychedelics, I talk about occultism, I talk about revolutionary political ideas, and I talk about private details like my sex life, comfortably, at home, as do many, many of my friends.
Having one of these devices in their home alone could be a ticket to jail or prison for them.
You’re telling me there are advantages for this shit? Because you can turn your lights on without having to grab your phone, or, God forbid, stand up and go flick a light switch, it’s worth it to have corporations listening in to all your shit?
You’ve obviously never had to watch a best friend dragged off by police due to getting nabbed by information grabbed through technology. Good for you! Have a cookie.
Some people are involved in progressing society beyond its pathetic, self destructive status-quo, to move the world forward, and we need privacy to do that.
If you wanna live your little work, wife, and kids life, where you’d never be concerned about a single thing you say while your Echo is around, go for it.
Myself? I actually intend to change the world while I’m on it. So no, I’m not alright with anyone listening in to what I’m doing.
Do not redirect traffic from applications that have not been designed for Tor into the Tor network!
They can leak all sort of data making it even worse than non-Tor traffic.
(BTW it's written Tor)