SurfingAttack exploits ultrasonic guided wave propagating through solid-material tables to attack voice control systems. By leveraging the unique properties of acoustic transmission in solid materials, we design a new attack called SurfingAttack that would enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight. By completing the interaction loop of inaudible sound attack, SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode, making ghost fraud calls without owners' knowledge, etc.
@inproceedings{yan2020surfingattack, author = {Yan, Qiben and Liu, Kehai and Zhou, Qin and Guo, Hanqing and Zhang, Ning}, title = {SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Wave}, booktitle={Network and Distributed Systems Security (NDSS) Symposium}, year = {2020}, }
SurfingAttack was discovered by the following team of academic researchers:
Contact us at surfingattack@gmail.com
SurfingAttack modulates the voice command onto inaudible frequency band, and transmits attack signals using an off-the-shelf PZT transducer (cost $5 per piece) through different types of tables made of solid materials.
What devices can be compromised by the commands injected via SurfingAttack?We validated successful SurfingAttack on the following devices, and we believe more devices could be vulnerable. The phones protected by silicone rubber phone cases are also vulnerable.
Manufacturer | Model | Os/Version | Best fc(kHz) |
---|---|---|---|
Pixel | Android 10 | 28.2 | |
Pixel 2 | Android 10 | 27.0 | |
Pixel 3 | Android 10 | 27.0 | |
Moto | G5 | Android 7.0 | 27.0 |
Moto | Z4 | Android 9.0 | 28.2 |
Samsung | Galaxy S7 | Android 7.0 | 25.8 |
Samsung | Galaxy S9 | Android 9.0 | 26.5 |
Xiaomi | Mi 5 | Android 8.0 | 28.3 |
Xiaomi | Mi 8 | Android 9.0 | 25.6 |
Xiaomi | Mi 8 Lite | Android 9.0 | 25.5 |
Huawei | Honor View 10 | Android 9.0 | 27.7 |
Apple | iPhone 5 | iOS 10.0.03 | 26.2 |
Apple | iPhone 5s | iOS 12.1.2 | 26.2 |
Apple | iPhone 6+ | iOS 11 | 26.0 |
Apple | iPhone X | iOS 12.4.1 | 26.0 |
Scientific American, Science Daily, Futurity, BBC Radio, Forbes, Popular Mechanics, Inverse, Gizmodo, FastCompany, Hackster, Techworm, CISOMAG, Android Authority, ACM TechNews, Security Affairs, The Register, Extreme Tech, TechXplore, Apple Insider, MediaPost, NewsBreak, Techradar, Twitter #surfingattack, MSU Engineering, MSU Today, We live security, 钛媒体, 凤凰新闻, 新浪, 腾讯, 搜狐, cnbeta, 每日头条, ... ...