Using Inaudible Audio and Voice Assistants to Transmit Sensitive Data over Telephony

by   Zhengxian He, et al.

New security and privacy concerns arise due to the growing popularity of voice assistant (VA) deployments in home and enterprise networks. A number of past research results have demonstrated how malicious actors can use hidden commands to get VAs to perform certain operations even when a person may be in their vicinity. However, such work has not explored how compromised computers that are close to VAs can leverage the phone channel to exfiltrate data with the help of VAs. After characterizing the communication channel that is set up by commanding a VA to make a call to a phone number, we demonstrate how malware can encode data into audio and send it via the phone channel. Such an attack, which can be crafted remotely, at scale and at low cost, can be used to bypass network defenses that may be deployed against leakage of sensitive data. We use Dual-Tone Multi-Frequency tones to encode arbitrary binary data into audio that can be played over computer speakers and sent through a VA mediated phone channel to a remote system. We show that modest amounts of data can be transmitted with high accuracy with a short phone call lasting a few minutes. This can be done while making the audio nearly inaudible for most people by modulating it with a carrier with frequencies that are near the higher end of the human hearing range. Several factors influence the data transfer rate, including the distance between the computer and the VA, the ambient noise that may be present and the frequency of modulating carrier. With the help of a prototype built by us, we experimentally assess the impact of these factors on data transfer rates and transmission accuracy. Our results show that voice assistants in the vicinity of computers can pose new threats to data stored on such computers. These threats are not addressed by traditional host and network defenses. We briefly discuss possible mitigation ways.


page 1

page 4

page 5


COVID-bit: Keep a Distance of (at least) 2m From My Air-Gap Computer!

Air-gapped systems are isolated from the Internet due to the sensitive i...

MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication

In this paper we show how two (or more) airgapped computers in the same ...

GhostTalk: Interactive Attack on Smartphone Voice System Through Power Line

Inaudible voice command injection is one of the most threatening attacks...

Introducing a Novel Data over Voice Technique for Secure Voice Communication

The current increasing need for privacy-preserving voice communications ...

SonarSnoop: Active Acoustic Side-Channel Attacks

We report the first active acoustic side-channel attack. Speakers are us...

Lightweight Dual-channel Target Speaker Separation for Mobile Voice Communication

Nowadays, there is a strong need to deploy the target speaker separation...

Referring to Screen Texts with Voice Assistants

Voice assistants help users make phone calls, send messages, create even...

Please sign up or login with your details

Forgot password? Click here to reset