Hijack Siri, Alexa, Google, Bixby With Ultrasonic Waves

Voice assistants help you with your day-to-day tasks, whether it’s making an appointment with a client, playing music, and more. The market for voice assistants is full of options: Google, Siri, Alexa and Bixby. These assistants are activated using voice commands and get things done. For example, you can ask Alexa to play certain songs of your choice. These devices can be hijacked and used against the owner of the device. Today we will discover Surf attacks the use of ultrasonic waves and the potential problems it poses.

What is a surf attack?

Image of surf attacks

Smart devices are equipped with voice assistants such as Google Home Assistant, Amazon Alexa, Apple Siri and some not very popular voice assistants. I couldn’t find any definition anywhere on the internet, so I define it as follows:


“Surfing attacks refer to the hijacking of voice assistants using inaudible sounds such as ultrasonic waves, with the intent to access device owners’ data without the owner’s knowledge.”

You may already know that human ears can only perceive sounds between one frequency range (20Hz to 20KHz). If someone sends audio signals that are outside the audio spectrum of human ears, the person cannot hear them. Same for ultrasound. The frequency is beyond the perception of human ears.

Bad guys have started using ultrasonic waves to hijack devices like smartphones and smart homes, which use voice commands. These voice commands at the frequency of ultrasonic waves are beyond human perception. This allows hackers to get whatever information they want (which is stored in voice-enabled smart devices), using sound assistants. They use inaudible sounds for this purpose.

For surfing attacks, hackers do not need to be in the line of sight of the smart device to control it using voice assistants. For example, if an iPhone is on the table, people assume that the voice can travel through the air, so if the voice command goes through the air, they may notice the hackers. But this is not the case because the voice waves only need a conductor to propagate.

Be aware that solid artifacts can also help voice travel as long as they can vibrate. A wooden table can still transmit voice waves through the wood. These are the ultrasonic waves used as commands to do things illegally on the target users’ smartphones or other smart devices that use voice assistants such as Google Home or Alexa.

Lily: What is a password spray attack?

How do Surf Attacks work?

Use of inaudible ultrasonic waves which can pass through the surface where the machines are kept. For example, if the phone is on a wooden table, all they have to do is attach a machine to the table that can send out ultrasonic waves for a surf attack.

In fact, a device is attached to the victim’s table or any surface they use to put the voice assistant on. This device first lowers the volume of the smart assistants so that the victims do not suspect anything. The command comes through the device attached to the table and the response to the command is also collected by the same machine or something else which may be at a remote location.

For example, a command can be given by saying, “Alexa, please read the text message I just received.” This command is inaudible to people in the room. Alexa reads the SMS containing OTP (one-time password) in an extremely low voice. This response is again captured by the hacking device and sent wherever the hackers want it.

Such attacks are called surf attacks. I tried to remove all technical words from the article so that even a non-technical person could understand this problem. For advanced reading, here is a link to a research paper that explains better.

Read more: What are Living Off The Land attacks?

Image of surf attacks

Leave a Comment