1. 7

    This seems way overblown. Everything you can do with this, you can do with normal audio, the only difference is the user can’t hear you speak to Siri/Alexa, though they absolutely can hear the response. So the only real benefit gained here is you aren’t advertising that you’re attempting to control Siri/Alexa.

    And of course there’s some outright FUD in the article. No, someone can’t just walk by you in the crowd and cause your phone to unknowingly visit a malicious site. If your phone is locked, Siri requires you to unlock your phone before doing most things (and the ones she doesn’t do this for are pretty harmless). And if you’re phone is unlocked, that’s because you’re using it, and you’re going to see the Siri interface come up, see the transcript of what the attacker said, see Siri’s response, and have a chance to interrupt it at any point, just as if you were speaking to Siri yourself.

    1. 4

      Whether it’s obvious to a user that something just happened is a huge factor in how practical an exploit is. I do think this research points out an important threat.

      Also, but perhaps less fundamentally: Whether a phone needs to be unlocked to perform these commands depends on the user’s security settings. Not everybody even uses a passcode.

      1. 2

        Apple is making it increasingly difficult to not use a passcode. They’re definitely steering people towards touchid.

        1. 1

          I use a password all the time, how are they making it difficult exactly?

          1. 1

            I meant to use nothing.

        2. 1

          I get that they exist, but I don’t have much sympathy for someone who gets hacked due to the lack of a password.

          1. 2

            I understand that emotionally, but it’s everybody’s problem, you know? Personally I think that people who do understand this stuff have an obligation to help people who don’t to figure out what they should be doing. But even for those who don’t believe that, a compromised phone will often lead to a compromised email account, which will be used to send spam and phishing to others.

            But it’s certainly a topic where it’s possible for reasonable people to disagree.

      1. 5

        In the Hacker News comments for this article, antirez linked an alternative approach using a Feistel network that works for any resolution: http://antirez.com/news/113

        1. 5

          Like the original code, Antirez’s approach uses power-of-two width and height and discards values that are out-of-range, but you can even build a Feistel-like function with non-power-of-two range and domain (e.g., input and output are points on a 1920x1080 screen) using modular addition instead of XOR. In pseudocode, it’s

            for 1..rounds:
              x += f(y) mod maxX
              y += f(x) mod maxY
          

          and for the inverse, you swap the steps and subtract instead of adding (with wraparound for negative results)

            for 1..rounds:
              y -= f(x) mod maxY
              x -= f(y) mod maxX
          

          Since it’s invertible, it’ll cover every output in its range if you give it every input. (If you want, you can use different functions at each step and throw in other kinds of invertible step entirely, like x *= n mod maxX where n and maxX share no prime factors.)

          It’s slow. Besides doing more work than Wolf3D’s LFSR, all the divisions to keep the results in range are more expensive than just throwing away out-of-range results like Antirez’s code. Still a fun trick. Here’s a concrete example of a function like this in JavaScript:

          
            function f(x, y) {
              for (var i = 0; i < 4; i++) {
                  y += (x * 0x555) >> 3;
                  y %= maxY;
                  x += (y * 0x555) >> 3;
                  x %= maxX;
              }
              return [x, y]
            }
          
            function inverseF(x, y) {
              for (var i = 0; i < 4; i++) {
                  x -= (y * 0x555) >> 3;
                  x %= maxX;
                  if (x<0) x+=maxX; // % operator doesn't wrap negative values for us
                  y -= (x * 0x555) >> 3;
                  y %= maxY;
                  if (y<0) y+=maxY;
              }
              return [x, y]
            }
          
            /*
            >> f(3, 3)
            [1370, 207]
            >> inverseF(1370,207)
            [3, 3]
            */
          

          I might’ve messed some overflow case or something up, and you can probably make a permutation look fine with a lot less, but there’s the idea.

        1. 18

          This story can’t possibly be true. Instagram cannot be listening to your microphone while it’s the background. OP says they’re using an iPhone, and on the iPhone, if an app is using the microphone in the background, there’s a gigantic red status bar that’s impossible to miss. Not to mention the phone was in low power mode, and low power mode disables most background processing anyway.

          This appears to just be a case of confirmation bias.

          1. 3

            Not true. In fact, the audio subsystem is on the short list of things that can reliably be accessed in the background.

            See https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/BackgroundExecution/BackgroundExecution.html

            1. 4

              If the app is already recording, sure (but if it is, then you can’t possibly miss the big red status bar that shows up when you move the app to the background). But if it’s not already recording, then it’s not going to have a chance to wake up in the background in order to start secretly recording (which isn’t going to work anyway because it would have to be certain the user isn’t looking at the screen and so won’t see the red status bar, and it doesn’t have any way of knowing that).

              1. 3

                I’m not so fast to reject that FB is doing something unethical. They’ve been down this road before https://techcrunch.com/2015/10/15/facebook-working-on-fix-for-ios-app-battery-drain-issue/

                1. 6

                  Yes, they were abusing background audio sessions (by playing a silent file) in order to stay awake in the background. That’s pretty bad. But that doesn’t really have any bearing on the concrete factual objections I raised to the plausibility of this story.

                  1. 2

                    It’s proof that your objections are both not concrete or factual, and that Facebook isn’t afraid to abuse this behavior (and potentially other unknown behaviors).

                    I’m not accusing anyone of doing this, but it’s a little naieve to presume impossibility.

                    1. 1

                      I listed a very obvious factual reason why they cannot possibly be doing this. The gigantic red status bar that would be impossible to miss. I don’t understand why you seem to be trying to spread FUD about “maybe they’re doing it anyway” because they cannot do this without being noticed immediately by basically their entire userbase.