RF Attack Controls Nearby Smartphones Via “Okay Google” And “Hey Siri”

Screenshot_20151016-170014Most spy movies (at least the ones worth their salt) will include a few scenes that depict nerds in a van listening in on conversations remotely and causing the victims phones to do things like turn themselves or their cameras on. We have been made to believe that it takes an entire van of equipment and one or two MIT level hackers to pull this off. Turns out all it takes is about $2300, some know how, and an unsuspecting target with a set of microphone-equipped headphones attached to their phone.

The French Government’s information security research group ANSSI has been investigating this andĀ published a paper with their findings. Unfortunately that paper is behind a paywall. Wired has a pretty good summation of the findings, which use a transmitter to induce a current in the headphone wires. This in itself isn’t surprising. But they’re able to do it with such accuracy that it can both trigger, and successfully interact with the hands-free features provided by Siri and Google Now.

We think this is a really cool proof-of-concept. It’s mentioned that an attacker could potentially use this to make calls or do other things that cost the victim money. We think it’s more likely to be implemented by resourceful young engineers as a practical joke. Rick Rolling is a poplar go-to. But if you can make the phone “hear” audio, you should also be able to make someone wearing headphones hear ghosts. This has a lot of potential. The first one to make this happen really needs to let us know about it.


Five Dollar RF Controlled Light Sockets

This is tens of thousands of dollars worth of market research I’m about to spill, so buckle up. I have a spreadsheet filled with hundreds of projects and products that are solutions to ‘home automation’ according to their creators. The only common theme? Relays. Home automation is just Internet connected relays tied to mains. You’re welcome.

[Todd] over at Fabricate.io found an interesting home automation appliance on Amazon; a four-pack of remote control light sockets for $20, or what we would call a microcontroller, an RF receiver, and a relay. These lamp sockets are remote-controlled, but each package is limited to four channels. Terrible if you’re trying to outfit a home, but a wonderful exploration into the world of reverse engineering.

After cracking one of these sockets open, [Todd] found the usual suspects and a tiny little 8-pin DIP EEPROM. This chip stores a few thousand bits, several of which are tied to the remote control. After dumping the contents of the EEPROM from the entire four-pack of light sockets, [Todd] noticed only one specific value changed. Obviously, this was the channel tied to the remote. No CRC or ‘nothin. It doesn’t get easier than this.

With the new-found knowledge of what each lamp socket was looking for, [Todd] set out to clone the transmitter. TearingĀ this device apart, he found a chip with HS1527 stamped on it. A quick Googling revealed this to be an encoder transmitter, with the datasheet showing an output format of a 20-bit code and four data bits. This was a four-channel transmitter, right? That’s where you put each channel. The 20-bit code was interesting but not surprising; you don’t want one remote being able to turn of every other 4-pack of lamp sockets.

With all the relevant documentation, [Todd] set out to do the obvious thing – an Arduino transmitter. This was simply an Arduino and a transmitter in the right frequency, loaded up with bit of carefully crafted code. [Todd] also figured out how to expand his setup to more than four lamp sockets – by changing the 20-bit code, he could make his Arduino pretend to be more than one transmitter.

With Arduino-controlled lamp sockets, the world is [Todd]’s oyster. He can add Ethernet, WiFi, Bluetooth LE, and whatever trendy web front end he wants to have a perfect home automation setup. It’s actually a pretty impressive build with some great documentation, and is probably the cheapest way to add Arduino/Internet-enabled relays we’ve ever seen.