Burger King Scores Free Advertising from Google Home with a Whopper of a Hack

Advertisers are always trying to stuff more content into a 15 or 30 second TV spot. Burger King seems to have pulled it off with a series of ads that take advantage of the Google Home device sitting in many viewers living rooms. It works like this: The friendly Burger King employee ends the ad by saying “Ok Google, what is the Whopper burger?” Google home then springs into action reading the product description from Burger King’s Wikipedia page.

Trolls across the internet jumped into the fray. The Whopper’s ingredient list soon included such items as toenail clippings, rat, cyanide, and a small child. Wikipedia has since reverted the changes and locked down the page.

Google apparently wasn’t involved in this, as they quickly updated their voice recognition algorithms to specifically ignore the commercial. Burger King responded by re-dubbing the audio of the commercial with a different voice actor, which defeated Google’s block. Where this game of cat and mouse will end is anyone’s guess.

This event marks the second time in only a few months that a broadcast has caused a voice-activated device to go rogue. Back in January a disk jockey reporting a story about Amazon’s Echo managed to order doll houses for many residents of San Diego.

With devices like Alexa and Google home always ready to accept a command, stories like this are going to become the new normal. The only way to avoid it completely is to not allow it in your home. For those who do have a voice-activated device, be very careful what devices and services you connect it to. Internet of things “smart” door locks are already providing ways to unlock one’s door with a voice command. Burglarizing a home or apartment couldn’t be easier if you just have to ask Siri to unlock the door for you. And while some complained about the lack of security in the Zelda hack, we’d rate that as a thousand times more secure than a voice recognition system with no password.

67 thoughts on “Burger King Scores Free Advertising from Google Home with a Whopper of a Hack

  1. This made me laugh, I love the XKCD cartoon and the whole toenail clippings thing. Voice activated sounds great in practice but if all someone needs to do is shout through your letterbox open door to gain access then it’s a non starter. Not sure if you Yanks have letterboxes but they are a slot in your door for mail to be pushed through, When I see movies you all have those mailbox post things.

    1. I seem to recall seeing one in the movie Home Alone II which was set in New York.

      That said, I’ve never seen one here in Australia. Our letter box is by the footpath, in rural areas they’ve usually got all the boxes for a side-road gathered at that road’s intersection with a more major road.

      The other thing about the rural ones is they tend to be more creative; some are using discarded microwave ovens and milk cans for boxes… some dress these up to look like cows, sheep, emus and anything else you can imagine. True hacks in their own right.

      1. I can see it making sense in rural areas for sure, imagine having to walk to each and every door as rural places tend to have large gardens/grounds etc. Quite interesting that people dress them up I quite like that idea. If I had one I would love to install some sort of system that notifies me my mail is here electronically.

        1. Now you’re going to make me try and find examples…

          DALEK letter box by New England Highway-1=

          http://www.canberratimes.com.au/act-news/canberra-life/top-5-wacky-letterboxes-in-canberra-region-20150706-gi5wcs.html

          Lots of examples actually… but I’m not going to spend all night looking for them all.

          As for making deliveries… the “posties” around here get around on motorcycles (usually 50cc Hondas), scooters and (more recently, electrically-assisted) bicycles usually, except in rural areas where they might use a car instead. So the size of the grounds is not the problem there (even if we have cattle stations bigger than Texas USA).

      2. That actually sounds like a lot of fun. Here in the US, roadside mailboxes have to be approved by the Postmaster General, so they tend to be boring for the most part, with one or two rare exceptions here and there.
        I’ve seen many older suburban homes with mail slots around here, but rural areas almost exclusively have roadside boxes instead.

    2. Older homes do, mostly in places that were once/still are affluent. Since 90% of American movies/shows seem to be set in places like the nice side of New York, you see them a lot. Once you get more rural, or into more recent construction that’s newer, they don’t have them.

  2. I’d be boycotting Burger King and related subsidiaries (e.g. Hungry Jacks here in Australia), as frankly, that kind of behaviour JUST ISN’T ON.

    For sure, I’d think twice about having something like that listening 24×7 in my house, others are not so privacy conscious. However, just because they’ve decided to sell their privacy to the likes of Amazon/Apple/Google/Microsoft does NOT mean that advertisers for any company have the right to hijack the devices responsible in any manner.

    Thankfully for me, such a boycott will be easy: I haven’t walked into one of their “restaurants” in over a decade and can’t stand their “food”.

    1. Not Burgerkings fault that that people have these stupid things in their homes :P

      No real reason to need to think about having one of those once let alone twice. The answer should always be nope :D

      As for me I haven’t set foot in a Burgerking since they moved their corporate headquarters out of the US for tax purposes. These shenanigans on the other hand almost have me wanting to eat there again,

      1. I think it’s quite wonderful of Burger King to allow these people to re-evaluate their stupidity in a harmless manner, before “Bad Things” happen.

        It is inevitable that someone is going to be a worse dick than this, in a more damaging way, if deficiencies not addressed.

      2. Let me be clear, I’m not blaming the burger chain for people having these “assistants”… that is entirely the decision of those individuals.

        What was their decision was to have an actor try and activate those assistants… then when that actor’s voice got blocked, to re-dub the ad with another actor’s voice to work around the block.

        People who say “don’t buy Alexa/Google Home/etc devices” … yep, I agree with you. However, people will, and that is their choice.

        I also believe having the same standard “trigger word” is asking for trouble. As is responding to any voice instead of specific voices.

        In the “dollhouse case”, the television anchor wasn’t intending to trigger these devices, but was just reporting on the story. In this case though, the makers of the ad clearly wanted to trigger these devices.

        If I behaved in the manner of that XKCD cartoon, what’s the probability that I’d be welcome in that house again? The advertising agencies must realise however that their actors are effectively “guests” that can be “asked to leave” if their behaviour is inappropriate. In this case, a single press of the MUTE button at the start of an ad is all that’s necessary, but having do do so is annoying.

        This however, doesn’t send a message to the people who funded this behaviour in the first place. Money is the only thing these people understand, hence my suggestion of the boycott, which is not a hard thing. Go to a place that sells proper food, and you’ll never want to eat one of their “burgers” again.

        1. thing is, BK didn’t try to get the device to order product or do anything malicious. So if it’d been some hacker type who injected a voice command into a broadcast to “prove a point” we’d be celebrating it. The only difference here is the claimed motivation, and the idea coming from a Corporation.

          Maybe this is the first salvo in those dystopian Sci Fi “corporate wars” where this is really all about one corporation attacking the other. And we’re just collateral “damage” ? :)

  3. Does this constitute a breach of the CFAA?
    Burger King have accessed a computer system they do not have permission to be on. Unless the Google device is actually licensed to the homeowner. Even then this behavior seems like a breach of the terms of service on Google’s advertising practices, or even the FCC/FTC’s commercial guidelines.
    If Aaron Swartz can be bullied with a 35 year prison term for breaking Jstor’s ToS (courtesy of Ortiz) Burger King should be facing some stiff fines.

      1. “You’re honor,
        I didn’t access the computer, the program I wrote to exploit a vulnerability in the software accessed the computer”

        Yeah, no.
        They exploited the software and when google created a patch they wrote another exploit to abuse the system in a different way. If we’re gonna imprison people for what amounts to a prank, apply the law equally. Leaving your front door unlocked does not give people permission to enter your house.

  4. Here’s an idea: Captain Picard calls an all-hands meeting. As each person enters the room – Riker, Data, LaForge, Troi, etc. – they say “tea, Earl Grey, hot”. Hilarity ensues.

  5. I still remember that guy that changed his xbox name to “XboxSignOut”, causing enraged kids to yell “xbox sign out, stop harassing me” followed by a couple of swearwords when they got locked out of their game, thanks to xbox popping up the sign out screen. https://gamerant.com/xbox-sign-out-troll-video/

    So, these kinds of trolls are something I have seen before (The “ok google” also works with most phones), and these kind of advertisement things are something I have seen before with Alexa, but actually making them yell what is inside a hamburger is a new one XD

    1. I wonder if you could combine the BK trick with this in any way.

      So you would could yell out of your opponents speakers and have them either sign out or be distracted?

  6. Burger King Scores Free Advertising From Hackaday!
    ——-
    On that note, they should be commended… maybe people will learn something from this experience. And, hopefully, it’s more than to just “change the trigger word.”

    1. Yea; but targeting….
      I think HAD is more the targeted audience for an o-scope, cheap DIY bits, or a clever new tool and probably less the target audience for damn near any other mass market anything.

  7. Is this really any different than any other type of intrusive advertising, popups, flash, etc?
    I won’t use any services from companies that use that type of advertising (yahoo/bing for example)

      1. Most adblockers will give an indication that they work (counter, etc). Plus there is the sitting down at a family members computer who ask you to remove spyware and finding the default browser is IE and the default search is bing and watching it install more spyware while your downloading a real browser so I get to see that those kind of companies still stoop that low.

      2. Yes, they are. I just tend to forget, how much crap-advertising you get without them. But when I sit at a family members computer and try to fix something and open a website (newspaper, youtube) for testing purposes i get remembered. Perhaps I am extra sensitive to commercials, because I refuse television. Opened youtube to test sound installation, first some nice soft music played and at the end suddenly loud noise like a TV-commercial. I asked really surprised:”Don’t you use an adblocker?” – “A What?” – I installed one.

        1. Almost all YouTube videos have weak audio because nobody cares about consistency and quality production. Talking at the back of microphone bearing camera. No post production leveling.

          Adverts do.

  8. This is not a hack. It’s a whole new hobby! ROFL! TY HAD. Two tons of creamed corn… lol.

    The IoT issue was just fuming and stank before this… this puts a flame to the fumes. The dragon needs be confined.

  9. Second try after wordpress dumped my original comment, but claims this is a dupe even though try #1 won’t show.

    I worked in speech recog and bandwidth compression codecs long before this was “a thing”. In fact, it’s far easier to recognize a speaker than it is to translate what they’re saying – if you don’t need bank-vault type security. In fact, a huge reason these cloud guys want to send your speech to the cloud for recog is that it’s a lot harder to translate speech from “just anyone” than it is to train on “just you” – for that you need the huge training base, lots of cycles, and it still has issues with accents and untrained speakers. Thing is, unless they can tap into your speech, there’s no money in it for them… “follow the money”, as usual, leads to better understanding.

    FYI handy hint: To make any speech recog work better, make sure you actually say what you think you’re saying. Most people leave out syllables and slur (and the brain fills in, you have to pay deliberate attention). Even more important, insert a short pause between each word – most people run them together, and again the listener’s brain figures it out. But here we have a dumb computer, no point making its job harder because when it doesn’t work, it’s not helping you.

    ////
    Back in the days of say, IBM’s Via Voice, we built speech transcription systems. There was an initial training period – each user had to read it a little story, and for awhile after that, a secretary would compare tapes to the transcript and correct any errors, training the system further. If for example a doctor always coughed in the middle of saying penicillin, it would learn that for that speaker – or whatever other mispronunciation peculiar to that person. (The original audio was captured on a PDA..which I’m calling a tape here – at any rate, a recording)

    Pretty quickly, the system, given the speaker ID, would become very close to error-free for that speaker, and in fact, quite a lot better than the current mass market services. Why don’t they do that? It’s not hard to pick a speaker out of a family sized group for ID by their voice, and put everyone else into a “ignore” bin.

    Guess the answer. If you can do this at home without a connection, how are they going to get your data to sell, and sell you stuff based on your data? Aha, the answer is obvious. Que smoke screen from these guys on how only their big servers can do this…it’s just not true, we were doing better on 386s back in the day – for a limited group, which is exactly what is wanted here for security.

    1. They want to harvest as much data as possible for profiling, bulk training data, and lifestyle profiling to better push advertisements. Person A waked up at X, is out of the house for Y hours a day, owns own cat, …

    2. Eggs actly. It was better to wreck a nice beach by training the software to individual users. A person a system wasn’t trained for could not issue voice commands. No special security needed because it was ‘baked in’ with the training.

      Having these assistants setup from the get go to work with *anyone*, without any requirement to first setup access control, is excessively stupid and dangerous.

    3. excellent reply, would upvote if this was /. LOL
      My mother was always fascinated by products promising true natural language speech processing. Closest thing Ive ever found that did what we wanted was Dragon Naturally Speaking. But even that required, as you mention, training, training, training.

      then you get a cold and Dragon doesn’t recognize you very well anymore. So it starts learning again, just enough to have issues when you’re better.

      People don’t think about how much “assumption” is done in language-the generation of speech is easy compared to the *understanding* that is required for communication. the meaning expressed has to be the meaning received or “communication” did not happen.

      getting people to understand their miracle little assistant from Google lacks the ability to process and parse speech without calling home to bring in Big Iron at the backend, has been an uphill battle.

  10. Somebody please tell me what happens if you ask it “Ok Google, what is the value of PI to the last digit?” (Star Trek TOS ;) )
    Can you ask to the hundredth digit or so if that doesn’t work?

    And I will not eat that junk anymore. Bleagh.

  11. This is just terrible, im glad Google turns out to be able to filter this super easy (they literally flipped a switch and the commercial no longer triggers it, but saying the exact same thing yourself will) but a bit puzzled why they didn’t have that feature enabled already anyway. I guess Google knew beforehand / Burger Kind paid to be allowed this ‘fun’?

    Oh and i dont really believe that any self respecting HaD reader would have any always-listening devices like these.

    Besides that its ‘news’ from a few days ago, im a bit surprised its only now covered by HaD, ive read about this on local sites on the 12th, sites that usually get their ‘geek’ news from HaD even..

    1. Google filtered the exact soundbite, so they could not filter the soundbite before it existed in the wild. That’s why BK could re-dub the commercial to bypass the filter. It’s not a generic anti-activation feature that they can activate for everything

  12. Thank You BK… With this “Ad” you taught us to NOT trust the ubiquitous IoT/Smartphone devices that spy on us! However in the end BK, this lesson will come back to bite you; now I will never trust an IoT/Smartphone device to order a burger from you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s