back to article Is it possible to control Amazon Alexa, Google Now using inaudible commands? Absolutely

Eavesdropping appliances like Amazon Echo and software assistants like Google Now can be attacked using mangled words that get interpreted as commands, but humans hear as nonsense. As explained in a 2015 paper [PDF], the phrase "Cocaine Noodles," for example, can be heard by Google Now as its command invocation, "OK, Google …

  1. AlexGreyhead
    Coat

    Cocaine noodles, add five Amazon Echo Dots to my shopping list. And some monkeys.

  2. ratfox

    Don't the assistants reply loud and clear whenever you give them an order?

    1. Paul Crawford Silver badge
      Gimp

      Not when you order a ball-gag.

  3. Someone Else Silver badge
    Coat

    "OK, Google. Add cocaine noodles to my shopping list"

    ...

    "Honest, guv'ner, I was simply tellin' this microphone thingie over 'ere to add some noodles to me shoppin' list. I don't know how this package of cocaine appeared on me doorstep!"

  4. Blotto Silver badge

    Amazon now?

    What does Amazon deliver when you say

    "Cocaine noodles"?

    Could seriously revolutionise the drug industry. The next Pablo Esteban is probably coding the drug über meets echo app as we speak (unless it's already here and I'm hugely out of touch with how things are done now days).

    All delivered by drone of course.

    1. TRT Silver badge

      Re: What does Amazon deliver...?

      Amphetabetti-spaghetti.

      1. macjules
        Coat

        Re: What does Amazon deliver...?

        Which is of course better than the Google equivalent of Alphabet-Spaghetti ..

    2. Pompous Git Silver badge

      Re: Amazon now?

      "All delivered by drone of course."
      Presumably on credit. Then you get the demand to pay up in 24 hours or have your kneecaps rearranged.

  5. Anonymous Coward
    Anonymous Coward

    Sounds reasonable

    On one of my computers, (an Asus Flipbook), Cortana wakes up and starts recording when I say "toilet paper". I'll let you wits take it from there.

    1. macjules

      Re: Sounds reasonable

      This already exists. Trouble is that they charge you for the device.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sounds reasonable

      Not surprising. Yesterday I asked Alexa to give me the weather. The Dot in the bedroom 10m away (through a doorway, round corners) started playing Amy Grant and the Echo a few feet in front of me said it didn't know of a town called "burning".

    3. hplasm
      Coat

      Re: Sounds reasonable

      "Cortana wakes up and starts recording when I say "toilet paper"."

      and states: "Wiping Windows 10..."

  6. Ken Moorhouse Silver badge

    Coke & Noodles

    Calls the police on the basis you are planning to create an IED.

    https://www.youtube.com/watch?v=l1teigkajYk

    1. kain preacher

      Re: Coke & Noodles

      Wouldn't that have the same effect as eating taco bell and coke ?

  7. flipside101

    Just tested cocaine noodles on my OP5 and there was no reaction , OK google was instant though.

    1. Robert Carnegie Silver badge
      Joke

      You just ordered oodles of cocaine. We will fulfil once we've hired a truck for your delivery. Is it OK to drop it in your driveway? When someone orders oodles of sand for a building project, we do that.

  8. Ken Hagan Gold badge

    An ingenius attack, but presumably now that the method has been disclosed it is fairly easy to defeat it with a low-pass filter on the microphone. (Arguably, there should already be one there on the principle that one should always sanitise inputs before processing.)

    1. Mage Silver badge

      Re: low-pass filter on the microphone.

      Not so simple if it's the electret capsule. A little easier if it's the FET (need new design of capsule as FET is internal). If it's simply aliasing type "mixing" (Fin - Fsample), then you need a pretty good low pass filter as a simple R C will be defeated by simply more volume. OTOH, if it's aliasing, then sampling at 96kHz and DSP filter is very effective as it's very hard to generate above 48kHz (the nyquist frequency for 96kHz).

      1. iansmithedi

        Re: low-pass filter on the microphone.

        These products have MEMS microphones, which are mechanically very linear out towards 100 kHz. It's more likely to be the digitisation process with limited filtering. Sampling at the higher rate is the best solution, as you write, but at the expense of power consumption for the phone.

    2. Voland's right hand Silver badge

      it is fairly easy to defeat it with a low-pass filter on the microphone.

      Now try convincing let's say Google or Amazon to add it to their designs. If you are wondering why they are so reluctant to do so, I suggest running a spectrum analyzer on the audio section of the next TV advert. You will stop wondering when you notice the amount of "interesting" stuff in the higher frequencies.

      1. Amorous Cowherder
        Boffin

        "suggest running a spectrum analyzer on the audio section of the next TV advert"

        Yep, it's done to wake up your tablets and phones, they can pick up the audio and that allows the ad-men to do more tracking by looking for the number of "callbacks"!

        Easy answer? Stop watching TV as it's full of shite any way! Ha ha!

    3. Anonymous Coward
      Anonymous Coward

      ... l it is fairly easy to defeat it with a low-pass filter on the microphone ...

      You can certainly try to defend against it, but you can't fully protect yourself against an attack of this type. The fourier-aliasing attack aside, any sufficiently loud noise will generate harmonics and sub-harmonics if the microphone has an even slightly non-linear response somewhere within the signal's spectrum. You can do it with the ultrasound as in this report; you can do it with infrasound, or you can do it with a sharp whistle. The ultrasound case is dead easy, as you are relying on the lowest-order non-linearity, and use your microphone to generate a difference frequency of two high-frequency signals. The last two are harder to control to produce the desired output signal, since you are relying on higher-order non-linearities - but still easy enough if you have access to the same hardware the target has.

      Depending on where they are placed, low-pass and band-pass filters may defend against the attack (if they are placed before the non-linear element), or they can facilitate it: if the filter is placed after the non-linear element, it will cut the abnormally-strong signal at the unexpected frequency, so that you'll never know anything was wrong in the first place. The already-generated harmonics will just pass through ...

      The only sure-fire defence is to completely cut the output if the input at any frequency (measured as early as possible in the device) exceeds the design limits. Naturally, this defence immediately becomes a denial-of-service vulnerability, and so it goes.

      1. Adrian 4

        Many of the non-linear elements are mechanical, not electronic. A filter to defeat it would have to be an acoustic filter rather than circuitry. A big wad of felt, or something. Unlikely to get added.

      2. Cuddles

        "Naturally, this defence immediately becomes a denial-of-service vulnerability, and so it goes."

        On the plus side, disabling voice-activated IoT nonsense may well be considered a feature, not a bug.

  9. o p

    for images too

    There is a serie a "déception challenges" on kaggle like this one:

    https://www.kaggle.com/c/nips-2017-non-targeted-adversarial-attack

    You have to modify an image so that a human won't notice the difference but certain classifiers will be fooled.

    But deep learning is not the only victim. For ages english people ask me about the kind of "messages" i am looking for or to repeat some Peter Sellers lines..

  10. kain preacher

    Cocaine noodles

    Isn't that top ramien and red bull ?

  11. Anonymous Coward
    Joke

    Personally I would be more worried about :

    Audible commands...

  12. Anonymous Coward
    Thumb Up

    Alexa, buy me a Rolex. Confirm purchase!

    Is the first thing I say when I walk into anyone's living room.

    On my fifth watch now, but don't get invited out much any more.

    1. Ken Moorhouse Silver badge

      Re: Alexa, buy me a Rolex. Confirm purchase!

      Is this your way of sticking your oar in?

      http://www.fyneboatkits.co.uk/photos/products/rowlocks/bronze-open-rowlocks-sockets.jpg

      For some reason there's a big increase in popularity of these kits (the 12" version is the most popular for some reason):-

      https://images-na.ssl-images-amazon.com/images/I/31krlxYXLhL._SX300_.jpg

  13. Mike 16

    People who read this

    have also looked for:

    "how to make sure the auto-playing videos embedded on my site cannot be blocked."

  14. John Smith 19 Gold badge
    Unhappy

    This is one of those things you see and think "That's got to be bu***hit"

    And yet it isn't. :-(

    Fortunately it's probably impossible to pull off with the standard speaks on a regular phone due to the crappy bandwidth they have.

    OTOH Bluetooth it to a custom device and it could still be quite small but still create a lot of mayhem...

  15. Fred Dibnah

    I'm surprised Song didn't try singing to it.

    Alexa, get me coat.

  16. ecofeco Silver badge

    This shit will not end well

    This shit will not end well and we'll be lucky to live through it.

    (referring to the never ending incredible mistakes being make regularly by computer companies)

  17. TheElder

    Microphone

    The only microphone I have turned on lately is one that intentionally records other sounds. I am using it to answer scammers that ask for your e-mail address.

    The nice little Olympus voice recorder then replies:

    Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...Gonads are useful for their purpose but they are no substitute for brains...

    1. TheElder

      Re: Microphone

      I have slightly changed my sound wave. I am sending a sound sequence calculated to possibly induce epilepsy like some video games. This is a bit of a hobby for a while since it doesn't cost me anything to send this. I am waiting to see if they change the scam greeting again. The first time the greeting was half an hour long. The next morning they shortened it to 1 minute.

      I can also confuse them because I have more than one phone number. The one I am using is not listed and does not accept incoming. It is also a dumb phone on the net. The people that supply my line think this is hilarious. But then they are students (summer job) from the university where I am working.

  18. Anonymous Coward
    Anonymous Coward

    at a frequency outside of the range of human hearing

    It's time to release the flock of specially trained bats!

    1. Anonymous Coward
      Anonymous Coward

      Re: at a frequency outside of the range of human hearing

      Funnily enough, the collective noun for a flying group of bats is "cloud".

    2. Anonymous Coward
      Anonymous Coward

      Re: at a frequency outside of the range of human hearing

      And if they counter with a sound that's at the resonance frequency of their skulls?

  19. kain preacher

    But can I actually get cocaine noodles ?

  20. TheElder

    But can I actually get cocaine noodles ?

    Cocaine Noodles

    More Cocaine Noodles

    Addictive Noodles

  21. TheElder

    But can I actually get cocaine noodles ?

    Buy them here for 1 dollar

    Cocaine

    She don't lie, she don't lie, she don't lie... Propane

  22. kain preacher

    And El reg commentators never disappoint.

  23. M Gale

    "not the sort of thing one can sneak into a room easily"

    https://www.amazon.co.uk/20Vrms-Ultrasonic-Transducer-Sensor-Detector/dp/B00P0BD6PA

    https://www.amazon.co.uk/MakerHawk-NodeMcu-Development-ESP8266-ESP-12F/dp/B071S8MWTY

    https://www.amazon.co.uk/Value-Charger-Adapter-Quadcopter-XC317/dp/B01F6YUGLW

    https://www.amazon.co.uk/XCSOURCE-Battery-Lithium-Charging-TE668/dp/B01N2Z24VL

    I'm sure this would be difficult to sneak into a room. It must be all the size of a moderately voluminous matchbox.

  24. LaeMing

    Got my first android phone the other week.

    Spent a nice sunny morning on the balcony playing with all the settings including disabling the Google App's access to absolutely everything it had disable options for!

    1. Amorous Cowherder

      Re: Got my first android phone the other week.

      A lot of the time those apps simply go dormant in the foreground but the services stay active in the background. You really want to do it properly look for Google free clean builds from sites likes XDA and flash your phone without any of the Google shit in there in the first place, the only way to be sure the services never even got installed let alone started.

  25. martinusher Silver badge

    An old echnique brought up to date

    The composer Fredrick Chopin exploited an effect like this in some of his compositions. He didn't use intermodulation distortion but the beat effects of many notes played at speed to give the subjective impression of another part being played inside the piece. (Needless to say you need to have rather good technique to achieve this -- you're more likely to hear it on a decent recording of something like his Etudes.)

  26. Winkypop Silver badge
    WTF?

    These digital assistant thingies

    Why?

    Just why?

    1. Anonymous Coward
      Anonymous Coward

      Re: These digital assistant thingies

      Oh I dunno, audio control over your music and ebooks is good enough for me. Oh, and alarms and timers.

      1. rmason

        Re: These digital assistant thingies

        No need to stay anonymous, we use ours a lot too, so much so we added three dots to the echo we got to celebrate the birthday of baby jesus last year.

        Anything it can't find on amazon music (I hit maybe three songs a week that it wants me to upgrade to the premium music jobby for) I just ensure there's a copy on my plex server and it can then pull it from there (it does this automatically if the song is already present in any of my music libraries it can see including online services like spotify.

        We've found we use the timer a hell of a lot, the DAB radio only gets turned on for the odd sporting event now (i'm a football fan, not popular around these parts I know) all other radio and music is now consumed via either a dot and a decent speaker, or the echo unit.

        We (like many people I think) have disabled the ability for it to buy anything in the settings. This wasn't hidden and wasn't hard. It can still buy media, so the worst I could be stiffed for is a terrible album/song i'd never be forced to listen to.

        We use it to build the shopping list for the families needs (it presents this list on the relevant app on your phone, or will yell it at you in the house) meaning whoever it as whatever shop can see what we need, grab it and remove it from the list.

        It's not like the thing was a fortune, and it's not like you have to use it or leave it plugged in, but we do and we do. It cost no more than a reasonable compact speaker that doesn't have the other functionality, and we've found we use that functionality a lot. Great bit of kit.

  27. grizzly

    Devices need to roll out tech like Alexa's Wake Word Verification: https://goo.gl/UmWPbb

  28. This post has been deleted by its author

  29. Anonymous Coward
    Anonymous Coward

    "...an ultrasound signal above 20 kHz..." and non-linear microphones

    Have these people been testing this in Cuba? Damaging the hearing of diplomatic staff?

    Non-linearity often implies extremely high amplitudes, and in this case ultrasonic..

    Strange...

    1. Anonymous Coward
      Anonymous Coward

      Re: "...an ultrasound signal above 20 kHz..."

      the (Cuban) high-powered ultrasonics is a probably following the publicly well known means for transducer coupling (through the faraday) high levels of audio energy into a remote bug, conducted through the TEMPEST/EMSEC shield itself, for powering the bug and then listening to the reflected audio.

      does sound a lot in concept like these social media Microphones!

      more acronyms at places like this: https://www.sans.org/reading-room/whitepapers/privacy/introduction-tempest-981

  30. Joe Harrison

    Private Eye

    Funny cartoon in Private Eye print edition which I can't find online. Cat half asleep on floor looking at budgie in cage, Amazon Echo on coffee table. Budgie speech caption "Alexa cancel the cat food and double the birdseed order"

    1. Ken Moorhouse Silver badge

      Re: cancel the cat food and double the birdseed order

      Haven't they done that in reality by buying Whole Foods?

      http://www.wholefoodsmarket.com/blog/whole-story/millets-not-just-birds

  31. JimmyPage Silver badge
    Boffin

    Defence ?

    Presumably there is an opening for a prophylactic devices which sprays out random inaudible noise to prevent this trick working ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like