Researchers have devised a way to leverage YouTube to hack mobile devices.
A team from the University of California, Berkeley, and Georgetown University have developed the means to compromise a mobile device using hidden voice commands embedded within a YouTube video.
In order for the device to be attacked, the intended victim needs to do nothing more than watch the YouTube content.
The researchers say on their project page that the hidden voice commands used by the attack are "unintelligible to human listeners but which are interpreted as commands by devices."
The video does not even have to be watched on the target mobile device. Instead, as long as the crafted video is watched on a nearby device -- such as a laptop, PC, smart TV, or tablet -- the commands will be received by either Google's Now voice assistant or Apple's Siri personal assistant.
As noted by Security Affairs, once these commands are deciphered by the voice-based assistants, they are executed.
Such an attack could permit hackers to instruct the mobile device to download malware or tamper with configuration settings, potentially leading to device compromise, surveillance, or a range of other issues caused by malicious code.
In the researcher's paper, dubbed "Hidden Voice Commands," the team says that there are two methods to launch the attack. The paper states:
"In the black-box model, an attacker uses the speech recognition system as an opaque oracle. We show that the adversary can produce difficult to understand commands that are effective against existing systems in the black-box model.
Under the white-box model, the attacker has full knowledge of the internals of the speech recognition system and uses it to create attack commands that we demonstrate through user testing are not understandable by humans."
It's a novel way to attack a device. While in no way likely to be the threat that traditional malware remains to be, the researchers say the threat can be averted by introducing notifications when commands are received or executed.