Novel use of a very old ‘attack’: voice injection of Siri commands

It is always good to hear of new dogs learning old tricks, and how to apply them to modern devices.

Two security researchers have just announced that they have been able to use close-range radio to inject an attacker’s voice into headphone cables, and thus give Siri spoken commands.

The basic technique involved here must be getting on for a century old, which is probably a first for such a novel ‘vulnerability’. Radio transmitters have been known to be able to ‘inject’ speech and music into audio systems in this way for a very long time.

When TV first started to become popular, a lot of new users had vertical runs of coaxial antenna cable running up to their TV aerial. If they were unfortunate enough to live near a taxi radio-control centre or any other radio transmitter, the coaxial cable could readily act as an aerial for those transmissions, which could then end up breaking into the audio of their TV. In this case, the standard solution was a ‘braid-breaker’, which prevented signals from the outer braid of the cable from reaching the TV set.

A similar effect was also reported quite widely among those with long cable runs to HiFi or public address loudspeakers. We heard of sporadic cases of village fetes and other gatherings being interrupted by all sorts of inadvertently intercepted speech or other audio.

But the most bizarre unintended radio receivers which I heard of were some of those with extensive amalgam (mercury-based) fillings in their teeth, who claimed to receive audio from local taxi firms or broadcast stations. I always wondered whether that last was an early urban myth, but most of us knew someone who knew someone who had suffered from this.

So, yes, any length of cable such as that found in cabled headphones can – when all the conditions are right – receive audio via radio transmissions. And if that cable is connected to audio input on an iOS or other device which can accept spoken commands, of course command injection can occur.

The snag is that, as with most electromagnetic compatibility issues, the exploit is hideously unreliable. To get it to work, you need a radio transmitter in just the right place, operating on just the right frequency, with combined headphone and mike cables of just the right type and length, as well as the right opportunity for the injected speech to be received as voice commands.

It’s less of a vulnerability, more of a party trick.