This paper presents a voice hacking proof of concept that demonstrates the ability to deploy a sequence of hacks, triggered by speaking a smartphone command, to launch ransomware and other destructive attacks against vulnerable Windows computers on any wireless network the phone connects to after the voice command is issued. Specifically, a spoken, broadcast, or pre-recorded voice command directs vulnerable Android smartphones or tablets to a malicious download page that compromises the Android device and uses it as a proxy to run software designed to scan the Android device’s local area network for Windows computers vulnerable to the EternalBlue exploit, spreading a ransomware-like application to those PCs, and executing it remotely. The demonstrated proof of concept, with relevant source code included in the appendix, can be extended and adapted to allow other voice-enabled, mobile, and IoT devices to perform multi-platform attacks against traditional PCs, as well as other mobile and IoT devices, and even critical infrastructure systems. In addition to describing the proof-of-concept attack in detail, the authors propose several remedies individuals and organizations can employ to prevent such attacks.
Information Security Commons, Management Information Systems Commons, Technology and Innovation Commons