Skip to main content
Skip to main content

Shouhuai Xu, the Gallogly Endowed Engineering Chair in Cybersecurity and Professor in computer science, and Guenevere Chen, an associate professor in the UTSA Department of Electrical and Computer Engineering, recently published a paper on USENIX Security 2023 that demonstrates a novel inaudible voice trojan attack to exploit vulnerabilities of smart device microphones and voice assistants — like Siri, Google Assistant, Alexa or Amazon’s Echo and Microsoft Cortana — and provide defense mechanisms for users.

The researchers developed Near-Ultrasound Inaudible Trojan, or NUIT (French for “nighttime”) to study how hackers exploit speakers and attack voice assistants remotely and silently through the internet.

Chen, her doctoral student Qi Xia, and Xu used NUIT to attack different types of smart devices from smart phones to smart home devices. The results of their demonstrations show that NUIT is effective in maliciously controlling the voice interfaces of popular tech products and that those tech products, despite being on the market, have vulnerabilities.

“The technically interesting thing about this project is that the defense solution is simple; however, in order to get the solution, we must discover what the attack is first,” said Xu.

The most popular approach that hackers use to access devices is social engineering, Chen explained. Attackers lure individuals to install malicious apps, visit malicious websites or listen to malicious audio.

For example, an individual’s smart device becomes vulnerable once they watch a malicious YouTube video embedded with NUIT audio or video attacks, either on a laptop or mobile device. Signals can discreetly attack the microphone on the same device or infiltrate the microphone via speakers from other devices such as laptops, vehicle audio systems, and smart home devices.

“If you play YouTube on your smart TV, that smart TV has a speaker, right? The sound of NUIT malicious commands will become inaudible, and it can attack your cell phone too and communicate with your Google Assistant or Alexa devices. It can even happen in Zooms during meetings. If someone unmutes themselves, they can embed the attack signal to hack your phone that’s placed next to your computer during the meeting,” Chen explained.

Once they have unauthorized access to a device, hackers can send inaudible action commands to reduce a device’s volume and prevent a voice assistant’s response from being heard by the user before proceeding with further attacks. The speaker must be above a certain noise level to successfully allow an attack, Chen noted, while to wage a successful attack against voice assistant devices, the length of malicious commands must be below 77 milliseconds (or 0.77 seconds).

“This is not only a software issue or malware. It’s a hardware attack that uses the internet. The vulnerability is the nonlinearity of the microphone design, which the manufacturer would need to address,” Chen said. “Out of the 17 smart devices we tested, Apple Siri devices need to steal the user’s voice while other voice assistant devices can get activated by using any voice or a robot voice.”

NUIT can silence Siri’s response to achieve an unnoticeable attack as the iPhone’s volume of the response and the volume of the media are separately controlled. With these vulnerabilities identified, Chen and team are offering potential lines of defense for consumers. Awareness is the best defense, the UTSA researcher says. Chen recommends users authenticate their voice assistants and exercise caution when they are clicking links and grant microphone permissions.

She also advises the use of earphones in lieu of speakers.

“If you don’t use the speaker to broadcast sound, you’re less likely to get attacked by NUIT. Using earphones sets a limitation where the sound from earphones is too low to transmit to the microphone. If the microphone cannot receive the inaudible malicious command, the underlying voice assistant can’t be maliciously activated by NUIT,” Chen explained.

Research toward the development of NUIT was partially funded by a grant from the Department of Energy National Nuclear Security Administration’s (NNSA) Minority Serving Institutions Partnership Program (MSIPP). The $5 million grant supports research by the Consortium On National Critical Infrastructure Security (CONCISE) and allows the creation of certification related to leveraging Artificial Intelligence (AI) and block-chain technology to enhance critical infrastructure cybersecurity posture.

UCCS has a uniquely integrated campus cybersecurity model and is considered the center of cybersecurity education for the University of Colorado system. The university is primed to meet the cybersecurity needs of our nation, from education and research partnerships to developing the cybersecurity workforce of the future.

UTSA is a nationally recognized leader in cybersecurity. It is one of few colleges or universities in the nation – and the only Hispanic Serving Institution – to have three National Centers of Academic Excellence designations from the U.S. Department of Homeland Security and National Security Agency.

Why not be fearless when fighting a global pandemic?

Why not be fearless when fighting a global pandemic?

Why not be fearless when fighting a global pandemic?

CU Anschutz's Dr. Michelle Barron battles the COVID-19 pandemic on the front lines and keeps smiling despite the challenges.

Dr. Michelle Barron has had a tough three years. When the COVID-19 pandemic was declared a national emergency in the U.S. in March 2020, her job put her on the front lines.  

But Barron, the senior medical director of infection prevention and control for UCHealth University of Colorado Hospital, and her team were up for the challenge, drawing on years of experience researching infectious diseases to improve public health outcomes.

Our team approaches every day asking ourselves, ‘Why not aim for zero preventable infections?’ Then we build systems and operations to make that a reality.
-- Dr. Michelle Barron

“Fear of the unknown doesn’t scare me at all because this is what I do. I’m an infectious disease doctor and I do detective work,” Barron says. “I often start with unknowns and that's what drives me to try and figure out what is wrong.”


Responding to the Unknown Without Fear

As an expert on infectious diseases, Barron’s job involves planning for pandemics before they happen.

“People don’t think about this, but pandemics occur about every 10 years. They’re not all of the same magnitude, but if you’re in my world, you prepare,” Barron says. “You think through what resources you need for patients and for staff.”

So, when COVID-19 hit in March 2020, Barron and her staff were able to take a systematic approach to understanding the pandemic even though there were so many unknowns.

“We were dealing with a new disease. In addition to a lack of information, there was also an unbelievable amount of erroneous information. The evidence wasn’t as firm as we were used to, everything was changing quickly,” she says. “It was like working in a hurricane.”

 

Dr. Michelle Barron at UCHealth University of Colorado Hospita

Dr. Michelle Barron at UCHealth University of Colorado Hospital.

 


To develop an effective pandemic response, Barron and her team drew on existing models from the 1918 flu pandemic and other pandemics to predict disease spread, to plan for staffing shortages and hospital triage measures and to determine how to prevent transmission.

“While I can appreciate that some things are not preventable, our team approaches every day asking ourselves, ‘Why not aim for zero preventable infections?’” Barron says. “Then we build systems and operations to make that a reality.”

With these models, they were able to plan for hospital staff and their family members getting sick which enabled them to backfill positions and plan for staff to miss work due to their children’s school closures.


Inspiring Patients and Donors

Barron's can-do attitude has drawn attention from donors over the years.  

After a rare bacterial infection landed George Sissel in the hospital in 2019, he and his wife Mary Sissel were so impressed by Barron’s approach to diagnosis that they decided to support her research.  

Barron says their generous offer came at a particularly crucial time for her.

“I had been wanting to look at how many people get fungal infections,” she recalls. “It’s an important area of study but it’s not something you get federal grants for. When I met the Sissels, I had just been getting to the point where I was about to say I’m not doing research anymore.”

With help from the Sissel family, Barron’s research got back on track. Barron has since partnered with her colleague, Dr. Esther Benamu, to complete a study on fungal infections in patients with underlying blood cancers or transplants. Barron is also investigating the links between COVID-19 and fungal infections.


Working with Communities

In addition to providing patient care, conducting research and steering the hospital through its pandemic response, Barron also partners with churches, community centers and other local organizations on community outreach. Barron’s team leverages the organizations’ community connections to reach the largest number of people.

“Often, the natural cultural navigators will be community members with a bit of health care training that people seek out when they need something,” she says. “Once you find them, you sit down with them and get them on board. That’s how you reach the rest of the community.”  

Barron also made it a priority to support public COVID-19 vaccination drives throughout Colorado. At one vaccine drive held next to a Broncos training camp, Barron spoke with local news reporters who were on site to cover the training camp.

“People actually showed up and said, ‘We saw you on the news just now and thought, well, why not?’” Barron recalls. “That was one of my heart-melting moments where I was so happy I do this work. If I can convince one person to get a vaccine, I’ve made a difference in the world and that matters to me.”

 

Barron (in background) oversees vaccination event for the Denver

Barron (in background) oversees vaccination event for the Denver

Although Barron says she was never afraid during the pandemic, her anxiety level would rise and fall based on what was happening. She struggled with “turning off” after long and stressful days, but personal support from friends like the Sissels sustained her through the toughest times. “Like many of my friends did throughout the pandemic, Mary and George would text me if they saw me on the news or on a campus presentation to wish me well,” Barron says. “Their philanthropy is an example of how they watched and cared for me, but they also did this in a very personal way.”

CU Anschutz
Subscribe to Research