If you use voice assistants on your smart devices or accounts with a series of microphone and speaker devices in full operation, you may be at risk for a new ultrasound-based attack that has proven its devastating effects.

In particular, researchers at the University of Texas and the University of Colorado have created a series of ultrasound-based attacks called NUIT.

These attacks can exploit vulnerabilities of Internet of Things devices equipped with microphone and voice assistants, including the most known as Google Assistant or Siri.

These ultrasound-based attacks are unaudible for humans, but they're detected by these kinds of smart devices so you wouldn't know they've accessed your device until you see that things seem not to go quite right.

In their preliminary presentation to The Register, they have shown this attack under two modalities: NUIT-1 and NUIT-2.

On the one hand, NUIT-1 is able to send ultrasonic signals to a smart speaker to compromise the microphone and voice assistant on the same device; while NUIT-2 will take advantage of the speaker to attack the microphone and wizard on a different device.

This is how these attacks work

• The NUIT-1 attack was considered a silent end-to-end attack, and, among others, assistant Siri was completely vulnerable to it.
  However, they were able to control the iPhone to lower the volume of the smartphone to 6%, while a second instruction allowed them to use Siri to open the victim's main door through the Apple Home app.
• The NUIT-2 attack sends integrated ultrasonic signals via a teleconference such as a Zoom meeting that allowed cybercriminals to remotely hit a nearby phone.
  Vulnerable devices include various iPhone models, a 2021 MacBook Pro, a 2017 MacBook Air, Samsung Galaxy phones and tablets, first-generation Amazon Echo 2, Apple Watch 3, Google Pixel 3 and Google Home, among others.

As a recommendation, researchers advise users to avoid buying devices designed with the speaker and microphone together. They also comment that headphone use mitigates these vulnerabilities, and also enable voice authentication on personal assistance devices.

In any case, they call on big manufacturers of these devices to develop tools to recognize unaudible commands embedded in near-ultrasonic frequencies.