Admins might be on the lookout for standard security threats like DDoS attacks, phishing campaigns, and ransomware. But what about the threats that aren’t exactly keeping them up at night?
Here’s a sampling of the weirder, more theoretical security threats to emerge over the past year—ranging from exotic side-channel attacks designed by academics to cybercriminals talking in other people’s voices.
NUIT
In April 2023, researchers at the University of Texas at San Antonio and the University of Colorado, Colorado Springs demonstrated a novel side-channel attack called Near-Ultrasound Inaudible Trojan (NUIT) for The Register.
NUIT comes in two flavors, both of which transmit voice commands at frequencies inaudible to humans in order to target voice assistants: NUIT-1 and NUIT-2. NUIT-1 uses a carrier such as an app or video to play the malicious sound, tricking the targeted device into talking to itself. NUIT-2 uses the same method to target microphones on other devices—for example, playing the sound during a video meeting to target phones nearby participants’ speakers.
Every major voice assistant from Alexa to Siri is vulnerable to varying degrees. But NUIT has a catch: NUIT-1 only works when a device’s speaker and microphone are close to one another, and both methods can trigger an audible response from the voice assistant in question. In any case, an attacker could only use NUIT to control devices or accounts already connected to the voice assistant, and only for functions that don’t require further approval or authentication by the user.
Wi-Fi spying
Carnegie Mellon University researchers recently developed a way to track people through walls using Wi-Fi signals.
The method isn’t new—according to Vice, similar methods were proposed in 2013 and 2018—but it is disconcertingly powerful. In findings published on arXiv, the researchers said they had developed a neural network capable of mapping the phase and amplitude of Wi-Fi signals sent and received by routers to three-dimensional points on a human body. That data is then fed to a modified version of DensePose, a software that maps 2D images of humans into 3D models.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The end result? Sort of an X-ray view via Wi-Fi. According to ZDNet, the researchers’ proof of concept was able to achieve acceptable resolution using just two $30 TP-Link routers. Hackaday noted the utility of this technology for “three letter agencies.”
Voice spoofing
Machine learning-powered generative text tools like OpenAI’s ChatGPT are already empowering script kiddies and email phishers—but the simultaneous rise of powerful voice spoofing tools like ElevenLabs, which use snippets of audio to recreate the sound and cadence of a person’s voice, has already undermined voice authentication.
In February 2023, Motherboard’s Joseph Cox reported that he used an ElevenLabs-generated copy of his voice to trick the over-the-phone Voice ID system offered by Lloyds Bank, gaining access to his bank account. Experts told IT Brew that Cox’s trick was representative of the growing utility of voice spoofing, which has “very limited and almost nonexistent detection or prevention.” VMware Carbon Black Principal Cybersecurity Strategist Rick McElroy told IT Brew that spoofing is now powerful enough to bypass many consumer-facing voice ID systems or trick humans as a supplementary element of a phishing attack, and organizations have rolled out “very limited and almost nonexistent detection or prevention” methods at scale.
The James Webb Space Telescope
Yes, really: Researchers at security firm Securonix released a report in September 2022 showing cybercriminals were circulating phishing emails containing macros that would download a version of the James Webb Space Telescope’s famous first image—apparently in the hopes users would fail to notice the .jpeg contained an obfuscated, Base64-encoded payload called GO#WEBBFUSCATOR.