Modern mobile malware often relies on the human factor. The attacker is continually looking for new ways to trick victims into opening their phishing emails, visit malicious websites and download infected apps. But with heightened awareness of online scams, users are becoming wiser to criminal attempts.
With this in mind, mobile cybercriminals have now developed a completely new approach that excludes the victim from the hacking sequence and gives the hacker access to a phone’s entire contents through voice recognition software. With attackers becoming more creative by the day, this is the latest approach to infecting certain smartphones.
As the use of mobile assistant systems such as Siri and Google Now become more frequently used enterprises and users need to be aware of the implications that voice recognition hacks could have.
Understanding the technology behind the voice
The creativity of this attack vector has the advantage of excluding the user from the attack sequence. Instead of misleading a user to download a fake app via an ad, the attacker can now directly instruct the device that is ‘listening’ for instructions to download the fake app directly. The audio instruction is simply picked up by the device’s voice recognition system.
The attack method might be used in two main streams: Advanced Targeted Attack – where the attacker specifically targets an employee to penetrate a corporate network. For example, the attacker could play the modified instructions in proximity to the employee outside the office, hitting the right ‘notes’ to gain unauthorised access to the device.
The other is Mass Campaign – this is achieved by publishing a malicious video or a viral song on social networks and relying on it being played on a large number of devices maximises the chances of potentially reaching a vulnerable device. As mentioned, the attack is still in infancy, but it is in the hands of operators and device manufacturers to protect against this kind of attack and for enterprises and users to be aware. Mobile design teams need to ensure for more user friendly and flexible control over the voice recognition features.
Know the danger and protect your business
The attack success varies depending on the device and its configuration. Some devices would not have the voice recognition function enabled by default, others won’t execute commands unless the screen is unlocked.
Other devices however, such as those belonging to drivers or travellers may well have the functionality always enabled, due to the ‘hands free’ benefits. Whether it’s dependent on the device, user or configuration, one thing is crucial for organisations to do – make all mobile users aware of the dangers. Awareness of new hacking capabilities is always the first step to protecting your enterprise against mobile attacks. Users should be aware of this attack vector and be able to react adequately when it happens, especially executives and administrators handling sensitive data.
The next step is to have a mobile security solution enabled to stop the plausible outcomes of such exploits, to prevent any phishing or malicious websites being accessed.
Voice recognition technology is popular due to its convenience and speed, and operators are heavily investing in new developments to improve the mobile experience - indeed Microsoft recently announced that it has developed its lowest error rate (opens in new tab) in speech recognition technology.
But as with all technology advances, hacking capabilities will progress and develop alongside them. This is a very sophisticated hacking tactic, and its obscurity as an attack vector makes it all the more dangerous. But it can be prevented with the right security solutions and raised awareness within organisations.
Dan Cuddeford, Director of Sales Engineering, Wandera (opens in new tab)
Image source: Shutterstock/Carlos Amarillo