Research has discovered a new type of NUIT attack that can launch “silent attacks” on smartphones, smart speakers, or Internet of Things devices.
The US research team demonstrated a new type of attack called Near-Ultrasound Inaudible Trojan (NUIT), which uses the microphone and voice assistant vulnerabilities of the device to send malicious commands to voice assistants such as Apple Siri, Google Assistant, Amazon Alexa, etc., making smartphones, Smart speakers and other IoT devices are under attack.
In a paper published by UT San Antonio professor Guenevere Chen and his Ph.D. student Qi Xia, and CU Colorado Springs professor Shouhuai Xu, they demonstrated the ability to send malicious commands to a device.
The main principle of the NUIT attack is that the microphone in the device receives close-range ultrasonic waves that are inaudible to the human ear, which can be integrated in media websites or YouTube videos, tricking victims into visiting specific websites, or playing specific YouTube videos on trusted websites It is possible to be recruited, which is a relatively simple social engineering attack method.
“If you’re streaming YouTube on your smart TV, which has speakers, NUIT malicious commands can make specific audio inaudible and attack your phone. It might even be possible to launch an attack through Zoom during a video conference, when someone unmute to listen to the meeting content , can embed the attack signal to crack the mobile phone placed next to the computer”, Guenevere Chen further explained that the speaker needs to reach a certain volume to make the NUIT attack effective, but the audio length of the malicious command must be less than 0.77 seconds.
▲ The voice assistant quietly received a malicious command to open the door. (Source:NUIT Attack）
“If you don’t use speakers to broadcast sound, you are less likely to be attacked by NUIT.” Guenevere Chen suggested that you can use headphones instead of speakers, because the sound from the headphones is too low to be transmitted to the microphone. Once the microphone cannot receive malicious commands, it will also Unable to activate voice assistant.
In the face of the new type of NUIT attack, in addition to being aware of this attack and being more cautious when clicking web links and granting microphone permissions, trying to play sound with headphones can also avoid malicious attacks.
(Source of the first image:Unsplash）
New knowledge of science and technology, updated from time to time