Compromised Computers Meet Voice Assistants: Stealthily Exfiltrating Data as Voice over Telephony

New security concerns arise due to the growing popularity of voice assistants (VA) in home and enterprise networks. We explore how malware infected computers can encode sensitive data into audio and leverage nearby VAs to exfiltrate it. Such low cost attacks can be launched remotely, at scale, and can bypass network defenses. By using Dual-Tone Multi-Frequency tones to encode data into audio that is played over ordinary computer speakers, modest amounts of data (e.g., a kilobyte) can be transmitted with a phone call lasting a few minutes. This can be done while making the audio nearly inaudible for most people. With the help of a prototype built by us, we experimentally assess the impact of several factors that impact data transfer rates and transmission accuracy achieved by such attacks. Our results show that voice assistants in the vicinity of computers can pose new threats to data stored on them.