1. 16
  1.  

  2. 7

    This seems way overblown. Everything you can do with this, you can do with normal audio, the only difference is the user can’t hear you speak to Siri/Alexa, though they absolutely can hear the response. So the only real benefit gained here is you aren’t advertising that you’re attempting to control Siri/Alexa.

    And of course there’s some outright FUD in the article. No, someone can’t just walk by you in the crowd and cause your phone to unknowingly visit a malicious site. If your phone is locked, Siri requires you to unlock your phone before doing most things (and the ones she doesn’t do this for are pretty harmless). And if you’re phone is unlocked, that’s because you’re using it, and you’re going to see the Siri interface come up, see the transcript of what the attacker said, see Siri’s response, and have a chance to interrupt it at any point, just as if you were speaking to Siri yourself.

    1. 4

      Whether it’s obvious to a user that something just happened is a huge factor in how practical an exploit is. I do think this research points out an important threat.

      Also, but perhaps less fundamentally: Whether a phone needs to be unlocked to perform these commands depends on the user’s security settings. Not everybody even uses a passcode.

      1. 2

        Apple is making it increasingly difficult to not use a passcode. They’re definitely steering people towards touchid.

        1. 1

          I use a password all the time, how are they making it difficult exactly?

          1. 1

            I meant to use nothing.

        2. 1

          I get that they exist, but I don’t have much sympathy for someone who gets hacked due to the lack of a password.

          1. 2

            I understand that emotionally, but it’s everybody’s problem, you know? Personally I think that people who do understand this stuff have an obligation to help people who don’t to figure out what they should be doing. But even for those who don’t believe that, a compromised phone will often lead to a compromised email account, which will be used to send spam and phishing to others.

            But it’s certainly a topic where it’s possible for reasonable people to disagree.

      2. 4

        How does this account for/work around the individual voice recognition? (Hey Siri is trained to recognise the users voice when setting it up)

        1. 2

          I remember the first time I heard about Siri, this was the first thing that came to my mind, so I thought since this is so obvious, they must’ve solved that problem… Guess not.

          1. 2

            I feel like this is something that can be solved with a 8 or 10 pole low-pass filter tuned to 22.05 kHz (or even lower) before the ADC?

            1. 1

              What’s the significance of the “8 or 10 pole” part?

              1. 2

                you want it to have sufficient resolution to be able to clip out just the parts that you can’t hear.

            2. 1

              Terrifying!!

              1. 2

                Here, have a DIY Long Range Acoustic Device kit.

                1. 1

                  Indeed. Is there a way I can notify the mods to do the merge?

                  1. 1

                    @Irene @jcs halp.

                    Also, techcrunch is pretty much always the sign of a bad submission.