In the news lately I have seen some articles suggested to me by Google on the topic of Lasers being able to hack into IOT devices like Google Home, Amazon Alexa, iPad, and pretty much anything with a microphone. I decided to look into this topic because I think that the security of IOT devices and mobile devices is a very important topic in computer security. According to the articles that I have read, it has been verified that lasers can send silent voice commands to devices with microphones. Some devices are more susceptible than others when it comes to the range that a laser can actually work from. In this document I will go into some detail about how a laser can send these silent voice commands, some statistics on the lasers effect on different devices, and some possible remedies to the hack.
All of the devices have a type of microphone called MEMS (micro- electro-mechanical systems) microphone. A gap was found between the physics and specifications of this type of microphone that allows light to be recognized as sound. By modulating the amplitude of the laser light, sound can be injected into the microphone. (Takeshi Sugawara, 2019) At first I wondered how it is even possible that a laser beam consisting of light could inject voice commands into a device with a microphone. Evidently when the laser is aimed at a microphone with the intensity at a precise frequency, the light would perturb the microphones membrane at that same frequency producing the actual digital signal through the microphone to be received and translated by the device it was sent to. This was tested on many devices with microphones and everyone was susceptible to the laser. The discovery of the lasers ability to manipulate a microphones membrane to produce electrical signals to be processed by the device was made by a cyber security researcher named Takeshi Sugawara. He brought the discovery to the attention of a professor at the University of Michigan and they have been experimenting with it since. (Greenberg, 2019)
Some of the devices that the hack was tested on by the researchers were Amazon Echo, Apple Home Pod, iPhone XR, Google Pixel 2, Samsung Galaxy S9, Facebook Portal Mini, etc. (Iyer, 2019) Some devices were susceptible from up to 360 feet like Siri and other AI assistants. The devices are even susceptible through windows. Mobile phones were much more difficult to hack into with the lasers, but it was still possible with the range for the iPhone being about 33 feet and Android phones range being around 16 feet. All of these were done with a 60-milliwatt laser. The researchers of the laser hack also tested the devices with a 5-milliwatt laser which is the equivalent of a cheap laser pointer that anyone can get. From 361 feet away with the 5-milliwatt laser, most of the researcher’s tests failed except for Google Home and a first generation Echo Plus. (Greenberg, 2019)
As for problems that may arise because of this newfound hack, I do not think that it is something that people should be causing pandemonium over. This laser hack is very stealthy because the lasers are silent while they produce physical voice commands. Google, Apple, and some other device manufacturers say that they are looking into the research closely. Some day there could be a fix for the problem by making two microphones so the laser cannot penetrate both at the same time. Another fix for the problem could be a password that only the users of the device are aware of. With the password option it would be possible for sensitive commands like purchasing items to only be executed when given the password. More remedies like placing your assistants away from the window were suggested since the laser hack can be done through a window, potentially letting the hacker access to unlocking your door or garage. I guess as long as the microphone of your assistant is not visible from a window then it should be fine.
It seems like it is a lot of work to be able to actually set up and execute a laser hack on any device. I do not think that many people out there will be utilizing this hack just because of the complexity of setting it up. Turning the voice command into a light signal seem very complicated to be able to do. Luckily the hack was discovered by cyber security professional researchers and they are figuring out all of the details about it so that it cannot be used in a malicious way. They disclosed all of their research so Google, Apple and other major manufacturers of the latest IOT devices can consider preventing these security vulnerabilities.
To conclude I would like to mention that I think this hack is a very sophisticated one. It is amazing that all of the IOT device designers and engineers totally overlooked this hacking ability. IOT device makers will have to really rethink their designs and apply preventive measures for this security vulnerability. It is not just one company that is making these devices that are susceptible to this laser hack security vulnerability, it is all of them. Be it teamwork or whatever measures necessary, these companies need to put their heads together and really work out the problem at hand.
Greenberg, A. (2019, November 4). wired.com. Retrieved from https://www.wired.com/story/lasers-hack-amazon-echo-google-home/
Iyer, K. (2019, November 7). Retrieved from techworm.net: https://www.techworm.net/2019/11/alexa-google-assistant-siri-laser-hack.html
Takeshi Sugawara, B. C. (2019, November 4). Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems*. Retrieved from lightcommands.com: https://lightcommands.com/20191104-Light-Commands.pdf