Much has been made of cybersecurity in the smart home in recent months, with the U.S. government taking action this year by proposing the Cyber Trust Mark, the cybersecurity equivalent of the Energy Star Label that certifies that a device meets basic cybersecurity standards. Now, new research into the threat of near ultrasonic cyberattacks is telling us exactly why we need to pay attention to IoT cybersecurity.
In filings for the Federal Communication Commission’s Cyber Trust Mark proceeding, researchers say inaudible voice commands – audio signals typically beyond the average adult human’s hearing range, can silently issue malicious commands to voice-activated IoT devices.
The vulnerability was even declared so severe that it is registered with the National Vulnerability Database with the National Institute of Standards and Technology. Tracked as CVE 2023-33248 and first associated with Amazon Alexa software, researchers say this allows attackers to deliver security-relevant commands via audio signals between 16 and 22 kHz.
Commands at those frequencies are “essentially never spoken” by authorized users, but a substantial fraction of commands issued at those frequencies are successfully executed.
Two of the FCC filers, Forrest McKee and David Noever, are researchers with Alabama-based engineering consultant PeopleTec, and have experience researching for NASA and the Department of Defense. In a research paper published in the May 2023 edition of the International Journal of Network Security and Its Applications, the two call the vulnerability a “near ultrasonic attack” in which these malicious, inaudible commands are broadcast via Zoom, YouTube, Teams or a user’s mobile device, with the intent to target various connected IoT devices.
Impacted devices can include Alexa, Google Nest Mini, Apple Homekit devices, and more, researchers say. This can lead to the unauthorized opening of garage doors, unlocking doors, tampering with server room temperature, activating home appliances and other potentially malicious actions.
According to McKee and Noever, their research experiment involved generating and surveying fifty near-ultrasonic audios to assess the cyberattacks’ effectiveness. Unprocessed commands achieved a 100% success rate, while processed commands achieved an 86% acknowledgment rate and a 58% overall executed (successful) rate.
“The ramifications of this vulnerability are both vast and multifaceted,” McKee writes in his statement to the FCC. “Within the corporate realm, such a security flaw can be weaponized for acts of sabotage—potentially by aggrieved employees or competing entities. In residential settings, there is a tangible risk of unauthorized device access and manipulation, which directly threatens both security and comfort of citizens.”
The research findings also revealed that the cyberattack method employed Single Upper Sideband Amplitude Modulation (SUSBAM) to generate near-ultrasonic audio from audible sources. By eliminating the lower sideband, the design achieved a 6 kHz minimum from 16-22 kHz while remaining inaudible after transformation, according to the paper, published in the May 2023 paper.
McKee and Noever urge the FCC to facilitate collaboration among industry stakeholders to address this vulnerability as the agency deliberates and fine-tunes the Cyber Trust Mark program.
McKee and Noever’s research is highlighted in this YouTube video below.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!