On Smartphones, The Power Of Voice Can Be Used Against You
ARUN RATH, HOST:
We've heard a lot about smart phones getting hacked. As it turns out, not even Siri has your back. Videos have started popping up online of people using the built-in voice activation services on phones to get around pass codes - one shows an iPhone phone user summoning Siri without the pass code and accessing the phone's call history and contacts. These videos led one security expert to call on smart phone users to disable their - sorry - to disable their voice-activated personal assistants. Yuval Ben-Itzhak is the chief technology officer with the online security company AVG.
YUVAL BEN-ITZHAK: You talk to the device, and the device is taking actions on your behalf. Either it's making a call, setting an appointment, writing an email. But what we found out - that although those technologies are exciting, they're not authenticating or not verifying the source of the voice. So who is talking to the device? Who is making the call?
An app that sits on your phone can actually send an e-mail on your behalf or can make a call on your behalf. In some cases, like in the Google Now application on Android phones, we even managed to initiate a phone call and that can be even to a premium number that will charge you, you know, high dollars for every minute, even when your phone is locked. And that's a vulnerability we identified.
BEN-ITZHAK: So someone who's not you can, without your passcode, get into your phone and send e-mails and do other things.
BEN-ITZHAK: Exactly. Now, imagine this technology embedded in your car, and you stopping at a stop light and someone is making a voice - either synthesized or just another person. And what can happen to your car? Or if you are buying a device - a smart device at home that is voice-activated, and someone stands behind a door outside. We are calling just to make sure those technologies also include authentication of the source.
RATH: And do we know that devices have been successfully hacked in this way?
BEN-ITZHAK: No, we haven't seen a case in the wild. But that's exactly why we decided to increase the awareness that this exists. Our devices are very personal. It goes with us everywhere we go, and they are connected all the time. They are transmitting data out. Even the Wi-Fi when we're walking in the mall is constantly looking for hotspots to connect to and is doing that broadcasting information out of our devices.
So the worst case scenario can be when someone is taking over this device, so - because it's so personal, all our pictures there, all our contacts are there, all our personal information on there. And also, this device is tracking us all the the time and knows where we're going. If someone takes control of that, that's going to be a very, very bad scenario.
RATH: This is - this is pretty scary. Should people, you know - should we be frightened of our - of our phones?
BEN-ITZHAK: I wouldn't suggest that. I think that awareness is the most important part here, and taking very simple actions is all you need to do. You can simply disable Siri or Google Now until the providers of this technology will include authentication, so - and authentication can be very simple. Very much like when you call to call today to a call center or to your bank, and they authenticate you through your voice, this type of authentication technology can be included on those products.
RATH: Yuval Ben-Itzhak is the chief technology officer with AVG, an online security company. Thanks very much for explaining this.
BEN-ITZHAK: Thank you very much for having me today.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.