Technology Review (10/30/14) David Talbot
Researchers from the Georgia Institute of Technology say they have found numerous security flaws that could allow malicious hackers to seize control of PCs and smartphones through the use of voice-control features, including those designed to make the devices easier for disabled individuals to use. In research that will be presented at the 21st ACM Conference on Computer and Communications Security this week in Scottsdale, AZ, the researchers describe 12 methods of subverting devices running the Android, iOS, Windows, or Ubuntu Linux operating systems (OSes), in some cases using methods that would not require any physical contact with the device. One attack uses malware that leverages Windows Speech Recognition to talk its way into running commands that would normally require a higher level of privilege, while another involves subverting the voiceprint feature of Android's Google Now digital assistant to access a device and then using generic text-to-speech apps to issue commands as if it were the user. Lead researcher Wenke Lee says most of the vulnerabilities are the result of voice command features being added late in the development cycle, making them less likely to be vetted for security vulnerabilities. "These features were added after the OS had been implemented, so these features don't have the same kinds of security checks," Lee says.
Researchers from the Georgia Institute of Technology say they have found numerous security flaws that could allow malicious hackers to seize control of PCs and smartphones through the use of voice-control features, including those designed to make the devices easier for disabled individuals to use. In research that will be presented at the 21st ACM Conference on Computer and Communications Security this week in Scottsdale, AZ, the researchers describe 12 methods of subverting devices running the Android, iOS, Windows, or Ubuntu Linux operating systems (OSes), in some cases using methods that would not require any physical contact with the device. One attack uses malware that leverages Windows Speech Recognition to talk its way into running commands that would normally require a higher level of privilege, while another involves subverting the voiceprint feature of Android's Google Now digital assistant to access a device and then using generic text-to-speech apps to issue commands as if it were the user. Lead researcher Wenke Lee says most of the vulnerabilities are the result of voice command features being added late in the development cycle, making them less likely to be vetted for security vulnerabilities. "These features were added after the OS had been implemented, so these features don't have the same kinds of security checks," Lee says.
No comments:
Post a Comment