A team at Washington University in St Louis successfully used guided ultrasonic waves to trick the voice assistants into performing various actions (h/t: Vice). These actions include placing calls, taking pictures, retrieving passcodes in text messages, and adjusting volume.
Furthermore, the smartphones were simply placed on tables, with the ultrasonic waves being transmitted via this solid surface. The team noted that the so-called Surfing Attack worked on tables made out of wood, glass, and metal. They added that the hack worked on plastic tables too, but wasn’t as reliable.
So how does the hack work?
Researchers attached a microphone (to hear the assistant’s responses) and piezoelectric transducer to the bottom of the table. The team also had a waveform generator nearby to generate the relevant signals, with a laptop running the Surfing Attack software.
The researchers tested 17 phones and found that the attack worked on 15 devices from four manufacturers. These brands are Google (Pixel 1, Pixel 2, Pixel 3), Motorola (G5, Z4), Samsung (Galaxy S7, Galaxy S9), Xiaomi (Mi 5, Mi 8, Mi 8 Lite), and Apple (iPhone 5/5s/6 Plus/X). They also noted that the attack worked against phones with silicone cases. Either way, it’s extremely likely that loads of other phones could be affected by this hack.
The team also tested the Huawei Mate 9 and Samsung Galaxy Note 10 Plus but found that they weren’t susceptible to the hack. It’s believed that the phones’ curved rear covers helped here, as they reduce the surface area touching the table.
As for protecting your device against the Surfing Attack, the team called on people to use thicker phone cases (e.g. wood), to place the phone on a tablecloth, and to disable voice assistant activation on the lock screen. They also recommend that you turn off lock screen personal results on Android, which means you need to unlock your device before Google Assistant can communicate on your behalf and access other personal info.