Hackers can now control your smart home, and even your car if it is set up through your smart home, by injecting malicious commands into the smart device’s system via a laser. Devices that can be affected by this attack include smart speakers, tablets, and phones as hackers are able to shoot the lasers through glass windows from up to 110 meters away.
These attacks are possible due to the photoacoustic effect on microphones, meaning that light is converted to sound through the microphone as the movement of light is replicated in the diaphragm of the smart device. With this process, hackers can perform a remote voice-command injection attack without the victim realizing it, as the process is completely silent. This hack can also work with flashlights.
Once the hacker has access to a smart device they can then use the light-injected voice commands to unlock smart lock enabled doors, shop e-commerce sites, access and use the victim’s payment methods, and unlock or start vehicles that are connected to the smart device account. This is possible due to the lack of user authentication in many smart devices.
To execute a smart home attack, all a hacker needs is a laser pointer, a laser diode driver, a sound amplifier, and a telephoto lens. With these tools the threat actor is able to bounce the light and commands up to 110 meters away and take control of your smart device.
The following is a list of confirmed smart devices with vulnerabilities that can leave your smart home vulnerable to a remote hack:
- Google Home
- Google Home Mini
- Google NEST Cam IQ
- Echo Plus 1st Generation
- Echo Plus 2nd Generation
- Echo Dot 2nd Generation
- Echo Dot 3rd Generation
- Echo Show 5
- Echo Spot
- Facebook Portal Mini
- Fire Cube TV
- EchoBee 4
- iPhone XR
- iPad 6th Generation
- Samsung Galaxy S9
- Google Pixel 2
Protect your home
This is highly technical attack vector that (to this point) appears to have mostly been utilized in a research/lab setting, so there is no reason to panic if you currently have several of these devices in your home. However, in order to best protect your smart home while waiting on the tech companies to address this vulnerability, all smart devices should be placed away from windows and mirrors, as laser lights and flashlights can be used through them (windows) or bounced off of them (mirrors). It is also advised to put a physical barrier around your smart device to block the microphone. Once blocked, it should not be vulnerable to a laser/light remote attack.
Lastly, individuals can add an additional layer of authentication to their smart devices, such as a random question that must be answered before the execution of a command or a voice PIN. With these tips, your smart home should be kept safe from a remote voice-command injection attack.
Gelinas, J. (2019, November 5). Hackers can hijack your smart home tech using just a laser pointer. Retrieved from https://www.komando.com/happening-now/611249/smart-speakers-hacked-with-laser-pointers.
Linder, C. (2019, November 6). Hackers Can Shine Lasers at Your Alexa Device and Do Bad, Bad Things to It. Retrieved from https://www.popularmechanics.com/technology/security/a29689494/hackers-lasers-alexa-google-home/.
Perlroth, N. (2019, November 4). With a Laser, Researchers Say They Can Hack Alexa, Google Home or Siri. Retrieved from https://www.nytimes.com/2019/11/04/technology/digital-assistant-laser-hack.html.
Rogers, J. (2019, November 5). Amazon Alexa, Apple’s Siri and Google Assistant can be hacked using lasers, experts warn. Retrieved from https://www.foxnews.com/tech/amazon-alexa-apple-siri-google-assistant-hack-lasers.