GhostTalk: Interactive Attack on Smartphone Voice System Through Power Line
Inaudible voice command injection is one of the most threatening attacks towards voice assistants. Existing attacks aim at injecting the attack signals over the air, but they require the access to the authorized user’s voice for activating the voice assistants. Moreover, the effectiveness of the attacks can be greatly deteriorated in a noisy environment. In this paper, we explore a new type of channel, the power line side-channel, to launch the inaudible voice command injection.
We present GhostTalk, a new hidden voice attack that is capable of injecting and eavesdropping simultaneously. Via a quick modification of the power bank cables, the attackers could launch interactive attacks by remotely making a phone call or capturing private information from the voice assistants. GhostTalk overcomes the challenge of bypassing the speaker verification system by stealthily triggering a switch component to simulate the press button on the headphone.
@inproceedings{wang2022ghosttalk,
author = {Wang, Yuanda and Guo, Hanqing and Yan, Qiben},
title = {GhostTalk: Interactive Attack on Smartphone Voice System Through Power Line},
booktitle={Network and Distributed Systems Security (NDSS) Symposium},
year = {2022},
}
Features of GhostTalk
-
How does GhostTalk work?
Since the shared power bank is open to rent for all users, the attackers can rent shared power banks and modify them. After modification, these malicious power banks can compromise smartphone voice assistants, and then hack private information, launch ghost call, or steal voice verification codes.
What devices can be compromised by GhostTalk?New generations of smartphones have discarded 3.5mm headphone jack and integrated the headphone audio functions into the charging port. This innovation revamps the outlook of smartphones, but it imposes new threats to the smartphone audio system when users are charging in public spaces. All the smartphones with Lightning or USB-C charging ports are vulnerable to GhostTalk.
What are the key contributions of GhostTalk?- ★ GhostTalk can simultaneously achieve two attack goals, i.e., voice injection and eavesdropping
- ★ GhostTalk does not require any prior knowledge about the victim's voice, and it can bypass the speaker verification through a backdoor in the charging port
- ★ GhostTalk is resilient against strong environmental noises and can bypass liveness detection systems
GhostTalk Sample Audios
These are natural speech audios and injected speech audios via GhostTalk. Can you distinguish them?
Group A
Group B
GhostTalk Demo
GhostTalk-SC Attack
In case when the smartphones are charged by an unaltered standard cable, we discover that it is possible to recover the audio signal from smartphone loudspeakers by monitoring the charging current on the power line.
To demonstrate the feasibility, we design GhostTalk-SC (Standard Cable), an adaptive eavesdropper system targeting smartphones charged in public USB ports. To correctly recognize the private information in the audio, GhostTalk-SC carefully extracts audio spectra and integrates a neural network model to classify spoken digits in the speech.
Countermeasure Recommendations
- ⚑ Disable the voice assistant activation by headphones.
- ⚑ Add headphone notification.
- ⚑ Stop charging after reaching high percentage battery level.