The notion that cyberattacks are on the rise is no longer news to WeLiveSecurity readers. As malicious actors continue to advance their methods, ransomware, phishing, and other types of attacks are becoming more sophisticated. As a result, cyber defenses need to become more robust to keep up with the ever-changing landscape of cybercrime, and reports of new attack methods continue to emerge.
One such new attack is known as NUIT, or Near-Ultrasound Inaudible Trojan, which could potentially hack voice assistants such as Siri, Google Assistant, Cortana, and Amazon Alexa without the user ever knowing it. The device would respond to near-ultrasound waves, prompting the voice assistant to perform an action that the user never intended it to do.
The threat of NUIT is real and has the potential to cause chaos as various devices that accept voice commands and are powered by voice assistants could become vulnerable. A breach of privacy, the loss of trust, and a compromise in an organization’s infrastructure could ultimately lead to significant monetary losses.
Academics at the University of Texas in San Antonio (UTSA) and the University of Colorado Colorado Springs (UCCS) discovered NUIT. It is not the first acoustic attack discovered to date, with past attacks such as SurfingAttack, DolphinAttack, LipRead, and SlickLogin, all targeting smart-home assistants, being prominent among those discovered. However, NUIT is unique since it can come in two forms.
NUIT 1 is when the device is both the source and target of the attack, which is activated with the playing of an audio file by the user on their phone. The device would then perform an action, such as sending a text message with its location. Conversely, NUIT 2 is launched by a device with a speaker on another device with a microphone, such as from a PC to a smart speaker.
For instance, while watching a webinar on Teams or Zoom, a user can unmute and play a sound, which is picked up by the victim’s phone, leading it to compromise with malware by visiting a website. Also, while playing YouTube videos on a phone with loudspeakers, an unwarranted action could result from the device receiving a silent ultrasound command without any specific interaction with the user.
NUIT is easy to execute, and all that is required is for the speaker to set it up at a specific volume level, and the command will last for less than a second. Currently, Apple Siri-enabled devices are said to be the hardest to hack. Users are encouraged to set up their assistants to only work with their own voice and to switch them off when not in use. Also, users should ensure their smart gizmos are secure as IoT devices make it easy for cybercriminals to prey on them.
The researchers from UTSA and UCCS also recommend that users scan their devices for random microphone activations. Both Android and iOS devices display microphone activation, usually with a green dot on Android, and a brown dot on iOS in the upper part of the screen. It is also essential to review the app permissions for microphone access since not every app needs to hear your surroundings.
To ensure maximum security, audio should also only be listened to using earphones or headsets. Cybersecurity basics such as keeping devices and software updated, enabling two-factor authentication on all online accounts, and using reputable security software across all devices should also be observed.
In conclusion, as new attack methods such as NUIT continue to emerge, both users and organizations need to be vigilant and keep up with the ever-changing landscape of cybercrime while implementing stringent security measures to stay safe from attacks.