A thief lies in wait across the street, hiding in the bushes and waiting for the lights of your television to go dark. Once you’re in bed, he aims a laser pointer at your Amazon Echo device, and tricks it into opening your garage door. With another laser, he tells Alexa to start your car.
A team of researchers at the University of Michigan, working with another group in Japan, detailed a number of attacks just like this one in a recent paper. All of the attacks use focused light to manipulate modern smart devices, sometimes from more than a football field away.
How does it work? According to the researchers:
The main discovery behind light commands is that in addition to sound, microphones also react to light aimed directly at them. Thus, by modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio.
In other words, the built-in microphones that detect sound waves in your voice will react to focused light in the same way.
Using a laser modulator, a hacker can record their voice issuing a command, and then transform a beam of light into pulses that mimic the same pattern. Once it’s beamed onto the device, it reacts the same way as if someone were talking to it.
Worse, researchers found that they could trick the devices from 110-meters with hardware easily found on Amazon.
The team informed Amazon, Apple, and Google about these vulnerabilities, but so far a fix isn’t available. For now, the best thing you can do is to keep the devices out of sight, so that a thief can’t see them through a window.