Monkey Says, Monkey Does: Security and Privacy on Voice Assistants

The introduction of smart mobile devices has radically redesigned user interaction, as these devices are equipped with numerous sensors, making applications context-aware. To further improve user experience, most mobile operating systems and service providers are gradually shipping smart devices with voice controlled intelligent personal assistants, reaching a new level of human and technology convergence. While these systems facilitate user interaction, it has been recently shown that there is a potential risk regarding devices, which have such functionality. Our independent research indicates that this threat is not merely potential, but very real and more dangerous than initially perceived, as it is augmented by the inherent mechanisms of the underlying operating systems, the increasing capabilities of these assistants, and the proximity with other devices in the Internet of Things (IoT) era. In this paper, we discuss and demonstrate how these attacks can be launched, analysing their impact in real world scenarios.

[1]  Imed Zitouni,et al.  Automatic Online Evaluation of Intelligent Assistants , 2015, WWW.

[2]  Jason Yosinski,et al.  Deep neural networks are easily fooled: High confidence predictions for unrecognizable images , 2014, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[3]  Constantinos Patsakis,et al.  Trapped by the UI: The Android Case , 2017, RAID.

[4]  Imed Zitouni,et al.  Understanding User Satisfaction with Intelligent Assistants , 2016, CHIIR.

[5]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[6]  Xiangyu Liu,et al.  Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Phone , 2014, SPSM@CCS.

[7]  可児 潤也 「"Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones」の報告 , 2013 .

[8]  Wenke Lee,et al.  A11y Attacks: Exploiting Accessibility in Operating Systems , 2014, CCS.

[9]  Ido Guy,et al.  Searching by Talking: Analysis of Voice Queries on Mobile Web Search , 2016, SIGIR.

[10]  Shouhuai Xu,et al.  Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures , 2010, ACNS.

[11]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[12]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[13]  C. Kasmi,et al.  IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones , 2015, IEEE Transactions on Electromagnetic Compatibility.

[14]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[15]  Constantinos Patsakis,et al.  There's Wally! Location Tracking in Android without Permissions , 2017, ICISSP.

[16]  Micah Sherr,et al.  Hidden Voice Commands , 2016, USENIX Security Symposium.

[17]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[18]  Yuqiong Sun,et al.  AuDroid: Preventing Attacks on Audio Channels in Mobile Devices , 2015, ACSAC.

[19]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[20]  Todd Mozer Speech’s Evolving Role in Consumer Electronics…From Toys to Mobile , 2013 .

[21]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[22]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.

[23]  Micah Sherr,et al.  Cocaine Noodles: Exploiting the Gap between Human and Machine Speech Recognition , 2015, WOOT.