Using radio waves, hackers at the French government agency ANSSI say they've been able to silently trigger voice commands on any smartphone thanks to access via Google Now and Siri. Reporting in the journal IEEE, they say it's possible to operate the voice-activated command tools to do things like open malware sites, send texts or phishing emails, and even call specific phone numbers that generate cash for the hacker. But as "clever" as Wired reports this trick to be—the headphone cord is used as an antenna—it has several limitations, including that headphones with a microphone must be plugged into the jack; the hacker must be within 16 feet of the phone; and Google Now or Siri must be enabled.
"Additional functionality, especially concerning user convenience, has often come at the cost of some security," Gavin Reid, VP of threat intelligence for Lancope, tells Forbes. "In this case the hack needs proximity to work and is a proof of concept needing specialized hardware." And while it's possible for people with this hardware to position themselves in crowded places such as airports and trigger some kind of attack on any qualifying phones within range, he adds that the odds are low. "This attack is less likely to be leveraged by the criminal underground, especially with other methods much easier to implement." Even so, Vincent Strubel at ANSSI says, "The sky is the limit here. Everything you can do through the voice interface you can do remotely and discreetly through electromagnetic waves." (Some 95% of Androids are open to a major hack.)