Hack any smartphone with Surfing Attack

Surfing attack is used in hijacking any smartphone using google assistants and iPhone using Siri virtual assistants. Can you imagine, all this is done by using ultrasonic vibrations. This research was done by the University of Washington in St. Louis, the Academy of Sciences of China and the University of Nebraska-Lincoln. Researchers explained that ultrasonic vibrations having a frequency much wider than human voice, can be used by attacker to gain access to any phone using voice assistants and make calls without knowing. This attack is called as Surfing Attack.

To transmit these malicious signals (ultrasonic in nature), MEMS microphone circuits are used. MEMS (Micro Electrical Mechanical System) is a tiny integrated devices or systems to combine mechanical to electrical components. Microphone circuits are used to send a commands through signals with high frequency, that are not audible to the human ear. To execute these, piezoelectric transducer are used, which costs only $5. These are fixed surface of the table as shown below.

Surfing Attack. Source:
  • We can watch below demo video of surfing attack.
surfing attack demo

At the same time, researchers assure that this attack can be executed from the long distance up to 9 meters, 30 feet.

  • We can watch below demo video of long-distance.
surfing attack on long distance

The researchers executed this surfing attack on many devices and found many vulnerable mobile phones (Google pixel, Apple iPhone, Samsung galaxy S9 and Xiaomi Mi 8). In this research, only devices failed were: Huawei mate 9, Samsung galaxy note 10+, Amazon echo and Google home.

Surfing attack is not the first attack, there is another attack using ultrasounds command called dolhinattack. Similarly to this we have few more attacks like backdoor, lipread and light commands, but these attacks uses laser instead of ultrasounds to sends commands quietly to the smart devices.

Surfing Attack on iPhone

For demonstration two attacks were carried on prototype devices:

Hacking an SMS passcode: All major services uses SMS for two-factor authentication and one-time password. In secret we can activate victim’s device to read the SMS and extracting SMS pass codes by using surfing attack .

Making fraudulent calls: Using the synthetic voice of the victim, we take control of the owner’s phone to call random numbers and to conduct interactive dialogue on his phone using a surfing attack.

The researcher successfully attacked popular smartphones (15 smartphones and 3 different tables) using this surfing attack. Different attacks were conducted which includes taking selfie, SMS passcode hacking and fraudulent phone call attack using different scenarios. To inject inaudible command on voice assistants microphone circuits are used.

Three types of tables were used to test surfing attack (aluminum/steel, glass, and medium-density fiberboard (MDF)). The surfing attack on aluminum and glass with two different thicknesses were tested. Surfing attacks can be executed through long-distance up to 30 ft distance through a metal table.

Possibility of pair command injection with a hidden microphone was tested to enable hidden conversations between the attacker and the victim. Several practical attacks were demonstrated using SMS passcode and fraud phone call.