Your iPhone Can Be Hacked with a Laser Pointer—Here’s How

Beware: New research has found a scary way for attackers to secretly hack your iPhone's virtual assistant.

Virtual assistants like Siri and Alexa make our lives astonishingly easier—but they might leave us more vulnerable, too. According to researchers at the University of Michigan and the University of Electro-Communications, Tokyo, a security flaw in the assistants’ microphones could put our devices (and our privacy) at risk. Their study, published in a paper last year, revealed that hackers can take over voice-controlled devices like iPhones using tools as simple as laser pointers. FYI, Siri isn’t the only thing that makes your phone a target for hackers.

How a laser pointer can hack your iPhone

Believe it or not, devices with virtual assistants like Siri respond to light waves the same way they do to sound waves, the study found. By pointing a laser beam at the microphone, the researchers could trick a device into accepting commands as though it had heard a verbal cue. “It’s just like ‘speaking’ over a light beam, in such a way that the microphone can ‘hear’ it but of course your ears cannot,” says Randy Pargman, senior director for Binary Defense, a cybersecurity company.

After spending seven months testing the hack on devices enabled with Google Home, Amazon’s Alexa, and Apple’s Siri, the researchers discovered that they could transmit light commands from hundreds of feet away with items ranging from $14 laser pointers to flashlights. Don’t miss these other cybersecurity secrets hackers don’t want you to know.

What this means for personal security

Once a hacker hijacks a voice-controlled assistant, they can access anything that requires a voice command. Those who use Siri to simply keep a shopping list or tell them the weather are at low risk, according to Pargman. But this attack “is much more concerning for people who have their security connected to voice commands,” he says. The hacker would be able to turn off home security systems, order items online using saved credit card info, or even access medical devices that are synced with the assistant.

This attack can also work by shining the laser through a window, raising concerns about security when users are not home. In one instance, researchers successfully sent light commands through a window to a Google Home inside another building more than 200 feet away. You might also be surprised to learn these 7 alarming things hackers can do when they have your email address.

Has this ever actually happened?

Thankfully, the researchers said they do not know of any cases where an attacker has used light commands to control a device. Though the study demonstrated this technique in several real-world scenarios, Pargman noted that it would be tough to replicate. “It requires just the right combination of a sophisticated attacker who would go through a lot of effort to break into a house and a victim who has a lot of security devices connected through their digital assistant,” he says. “It also requires the digital assistant to be placed near a window, visible to a nearby location [where] the attacker can set up their equipment.”

Hoping to prevent future attacks, the study’s authors shared their findings with companies whose products are vulnerable, including Amazon, Apple, and Google. The companies have said that they will investigate the potential security issue but reassured users that such an attack is unlikely. Find out which of your smart home devices is the most vulnerable.

How to protect your iPhone

Concerned about your privacy? To protect your iPhone against light commands, Pargman recommends keeping it away from windows and avoiding leaving it out where others can access it. “If a laser does not have a straight-line path from the outside to the microphone, it can’t be used,” he says. The same goes for other voice-controlled devices like Alexa and Google Home.

Users should also think carefully about the privacy implications of having a voice-controlled device in the home, according to Pargman. Anyone from cybercriminals to house visitors to children can give commands to a virtual assistant, so “be smart about how much control you give them over your security and the things you care about,” he advises.

That said, you can rest assured that the likelihood of a laser hijacking your device remains small. “I think readers are more likely to see this technique appear in a spy movie or novel than they are to experience this type of attack,” Pargman says. Watch out for these red flags someone is spying on your phone—no laser pointer required.

Sources: