ADDITIONAL PAGES

Assistive technology with inadequate security such as voice control interfaces can provide malware loop holes to circumvent security protocols

Source: oneclickroot.com
Assistive technology makes device usage more convenient for users, especially those with disabilities.  However, these features have inadequate security because their implementation involves “inevitable trade-offs among compatibility, usability, security, and cost.” These trade-offs leave the security system vulnerable to attacks that wish to gain access to and misuse assistive technologies. Researchers identified and demonstrated twelve different attacks that bypass the state-of-the-art security used by the four most popular computing platforms: Ubuntu Linux, iOS, Android, and Microsoft Windows.

Source: A11y Attacks: Exploiting Accessibility in Operating Systems
One of these demonstrations showed how a hacker can bypass the Android platform’s Touchless Control’s voice authentication. From the moment the user registers their voice with the Touchless Control app on the first boot-up, the app continuously monitors the microphone for the authentication phrase “OK Google Now.” After hearing the phrase, the app checks if the voice signature matches the users registered signature. This system leaves the app vulnerable to replay attacks. Since the user repeats the phrase multiple times, the hacker creates malware that can record the user saying the phrase and then replays this recording through the device’s own speaker. After gaining access, the user can use the default text-to-speech library form Google Now to issue a variety of commands. The discovery of these security lapses is a major signal to OS vendors that they need to start implementing stronger security to protect users. 

Citation: Jang, Yeongjin, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. "A11y Attacks: Exploiting Accessibility in Operating Systems." CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014): 103-15. Web. 23 Oct. 2015.

No comments: