Back in 2017, researchers in China reported on a clever way to access a digital assistant, like Google Assistant or Siri, by using inaudible ultrasonic sound waves. Now a new team at Washington University in St. Louis have been working on similar technology, and their version is even more capable (and scary) than the original.
The idea behind all this is that rather than interacting with a voice assistant via normal, spoken commands, you can instead encode your voice on an ultrasonic carrier that your phone or smart speaker is still able to interpret.
The latest version of this surreptitious exploit requires a bunch of ultrasonic hardware and, once assembled, the device can successfully issue seemingly silent commands at up to 30 feet away — a huge increase over the "few feet" limitation of the 2017 hack. Unlike the previous version, the newest hack can also be used through physical barriers, like metal, glass, and wood, though it had trouble operating through thin fabrics: namely a tablecloth.
In the wrong hands, a hacker could essentially siphon personal information stored on a phone, hijack smart home gadgets, and more.
Luckily, just like commanding a Google Home or Amazon Echo with freakin' laser beams, the complexity of this hack makes it an unlikely candidate to show up in the wild. That said, the fact that a digital assistant can be controlled without obvious user input is a solid reminder to take stock of your phone settings.
The easiest way to completely derail this potential threat is to disable always-on listening. If your phone isn't waiting to hear a voice assistant command, it can't be hijacked. When an assistant is invoked, you may want to consider removing personal results from the list of items it can access. Finally, you can always check your Google Activity history to review your activity log and to see what kinds of commands Assistant has carried out.