Review
BibTex RIS Cite

Types of cyber-attacks with using voice

Year 2025, Issue: 061, 137 - 165, 30.06.2025

Nursel Yalçın , Bilge Lale

Abstract

Recently, attacks targeting individuals, organizations and even critical voice-activated systems have become widespread one after another. Basically, these are unauthorized access or control of a device using manipulated or synthesized voice commands to attack an identified vulnerability in voice technologies, usually supporting smart assistants and smart speakers. While such attacks are diversifying simultaneously with the regular implementation of voice technologies in daily life, the potential consequences of such attacks also increase their impact in cases where most users and organizations are not sufficiently aware. In this study, various voice-based cyber-attacks, such as voice phishing (vishing), voice command manipulation, attacks using ultrasonic sound waves, hard disk attacks via voice commands and acoustic eavesdropping attacks, their methods (e.g., synthesizing deceptive voice commands, using ultrasonic frequencies to bypass security systems, manipulating devices through inaudible commands, exploiting voice interfaces to access sensitive data on hard drives, capturing private conversations using sound waves) and possible effects are investigated and some legal situations related to these threats are also touched upon in the context of the current cyber security environment in Türkiye. This study aims to increase awareness by providing a comprehensive analysis of voice-based cyber-attacks and to better inform users and cybersecurity professionals about effective prevention and mitigation strategies. It serves as a comprehensive review of existing research in this field.

Keywords

Cybersecurity cyber-attack data breach voice technologies voice-based attacks

References

  • [1] T. D. Rossing, F. R. Moore, and P. A. Wheeler, The Science of Sound, 3rd ed. SF, USA: Addison Wesley, 2002.
  • [2] B. Mulgrew, P. Grant, and J. Thompson, Digital Signal Processing: Concepts and Applications. London, 1st ed. U.K.: Palgrave HE UK, 1999.
  • [3] B. Naqvi, K. Perova, A. Farooq, I. Makhdoom, S. Oyedeji and J. Porras, “Mitigation strategies against phishing attacks: A systematic literature review,” Comput. & Security, vol. 132, p. 103387, 2023, doi: 10.1016/j.cose.2023.103387.
  • [4] W. Stallings, Network Security Essentials: Applications and Standards, 6th ed. Upper Saddle River, NJ, USA: Pearson, 2016.
  • [5] A. Saxena. “What is cybersecurity and why is it important?” Sprinto.com. https://sprinto.com/blog/importance-of-cyber-security/ (accessed Nov. 11, 2024).
  • [6] R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems. Hoboken, NJ, USA: Wiley, 2021.
  • [7] M. E. Whitman and H. J. Mattord, Management of Information Security, 6th ed. Boston, MA, USA: Cengage Learning, 2018.
  • [8] V Malik, A. Khanna, N. Sharma, and S. Nalluri, (2024). Trends in Ransomware Attacks: Analysis and Future Predictions. International Journal of Global Innovations and Solutions (IJGIS). doi:10.21428/e90189c8.f2996624.
  • [9] J. Mirkovic and P. Reiher, (2004). “A taxonomy of DDoS attack and DDoS defense mechanisms,” ACM SIGCOMM Computer Communication Review, vol. 34, no.2, pp. 39-53. doi:10.1145/997150.997156.
  • [10] P. Cheng and U. Roedig, “Personal voice assistant security and privacy-A survey,” IEEE J. Emerg. Sel. Top. Circuits Syst., vol. 10, no. 4, pp. 476–507, Apr. 2022, doi: 10.1109/JPROC.2022.3153167. https://doi.org/10.1109/JPROC.2022.3153167.
  • [11] D. Bilika, N. Michopoulou, E. Alepis, and C. Patsakis, “Hello me, meet the real me: Voice synthesis attacks on voice assistants,” Computers & Security, vol. 137, p. 103617, 2024, doi: 10.1016/j.cose.2023.103617.
  • [12] A. G. Desetty, V. D. Jangampet, and S. R. Pulyala, "Phishing attacks: Evolving techniques, emerging trends, and countermeasure strategies," International Journal for Innovative Engineering and Management Research, vol. 9, no. 12, pp. 985–991, 2020. [Online]. Available: https://www.researchgate.net/profile/Vinay-Dutt/publication/376645699_Phishing_Attacks_Evolving_Techniques_Emerging_Trends_and_Countermeasure_Strategies/links/673eb65d440ad82b18a086fb/Phishing-Attacks-Evolving-Techniques-Emerging-Trends-and-Countermeasure-Strategies.pdf
  • [13] A. Ansari and M. Nazir. “Risk assessment of security vulnerabilities in smart home using CAPEC and defensive goals.” Advances in Data and Information Science, vol 318, p. 705–722, 2022, doi:10.1007/978-981-16-5689-7_63.
  • [14] F. McKee and D. Noever, “Acoustic cybersecurity: Exploiting voice-activated systems,” Cryptography and Security, vol. 2023, p. 2312.00039, 2023, doi:10.48550/arXiv.2312.00039.
  • [15] S. Hussain, P. Neekhara, S. Dubnov, J. McAuley and F. Koushanfar, “WaveGuard: Understanding and mitigating audio adversarial examples,” in Usenix Security 2021, 2021, pp. 1–10, doi:10.48550/arXiv.2103.03344.
  • [16] D. Buil-Gil, S. Kemp, S. Kuenzel, L. Coventry, S. Zakhary, D. Tilley and J. Nicholson, “The digital harms of smart home devices: A systematic literature review,” Comput. in Hum. Behav., vol. 145, p. 107770, 2023, doi: 10.1016/j.chb.2023.107770.
  • [17] F. Toapanta, B. Rivadeneira, C. Tipantuña, and D. Guamán, “AI-Driven vishing attacks: A practical approach,” Engineering Proceedings, vol. 77, no. 1, p. 15, 2024, doi: 10.3390/engproc2024077015.
  • [18] C. Dinu. “What is vishing? Unmasking voice phishing scams and techniques.” TextMagic.com. https://www.textmagic.com/blog/what-is-vishing/ (accessed Nov. 11, 2024).
  • [19] N. Bhatnagar and M. Pry, “Student attitudes, awareness, and perceptions of personal privacy and cybersecurity in the use of social media: An initial study,” Information Systems Education Journal, vol. 18, no. 1, pp. 48–58, 2020. [Online]. Available: https://files.eric.ed.gov/fulltext/EJ1246231.pdf
  • [20] C. S. Kayser, S. Back, and M. M. Toro-Alvarez, "Identity theft: The importance of prosecuting on behalf of victims," Laws, vol. 13, no. 6, pp. 68, 2024, doi: 10.3390/laws13060068.
  • [21] K. Marchini. “2018 Identity fraud: Fraud enters a new era of complexity.” JavelinStrategy.com. https://www.javelinstrategy.com/research/2018-identity-fraud-fraud-enters-new-era-complexity (accessed Nov. 11, 2024).
  • [22] M.A. Siddiqi, W. Pak and M.A. Siddiqi, “A study on the psychology of social engineering-based cyberattacks and existing countermeasures,” Appl. Sci., vol. 12, p. 6042, 2022, doi: 10.3390/app12126042.
  • [23] G. Zhang, C. Yan, X. Ji, T. Zhang, T. Zhang and W. Xu, “DolphinAttack: Inaudible voice commands,” in ACM SIGSAC Conf. on Computer and Communications Security (CCS ’17), 2017, pp. 103–117, doi: 10.1145/3133956.3134052.
  • [24] H. Shah, M.Z. Rashid, M.F. Abdollah, M.N. Kamarudin, C.K. Lin and Z. Kamis, “Biometric voice recognition in security system,” Indian J. Sci. Technol., vol. 7, no. 1, pp. 104–112, Jan. 2014, doi: 10.17485/ijst/2014/v7i1.9.
  • [25] A. Hamed and N. Abdelbaki, “Acoustic attacks in iot era: Risks and mitigations,” in Proc. of the 2020 5th Int. Conf. on Cloud Computing and Internet of Things (CCIOT '20), Okinawa, Japan, 2020, pp. 13–19, doi: 10.1145/3429523.3429530.
  • [26] European Parliamentary Research Service, “Data subjects, digital surveillance, AI and the future of work,” in Panel for the Future of Science and Technology, Dec. 2020. [Online]. Available: https://www.europarl.europa.eu/RegData/etudes/STUD/2020/656305/EPRS_STU(2020)656305_EN.pdf
  • [27] A. Dixit, N. Kaur, and S. Kingra, “Review of audio deepfake detection techniques: Issues and prospects,” Expert Systems, vol. 40, e13322, 2023, doi: 10.1111/exsy.13322.
  • [28] N. Robins-Early. “CEO of WPP Targeted by Deepfake Scam.” TheGuardian.com. https://www.theguardian.com/technology/article/2024/may/10/ceo-wpp-deepfake-scam (accessed Jan. 9, 2025).
  • [29] M. U. Tanveer, K. Munir, M. Amjad, A. U. Rehman and A. Bermak, “Unmasking the fake: Machine learning approach for deepfake voice detection,” in IEEE Access, vol. 12, pp. 197442-197453, Apr. 2024, doi: 10.1109/ACCESS.2024.3521026.
  • [30] Z. Cai, A. Dhall, S. Ghosh, M. Hayat, D. Kollias, K. Stefanov and U. Tariq, “1M-Deepfakes detection challenge,” in Proc. 32nd ACM Int. Conf. Multimedia (MM ’24), 2024, pp. 11355–11359, doi: 10.1145/3664647.3689145.
  • [31] J. R. Reeder and T. Hall, “Cybersecurity’s Pearl Harbor moment: Lessons learned from the colonial pipeline ransomware attack,” The Cyber Defense Review, vol. 6, no. 3, pp. 15–40, 2021. [Online]. Available: https://www.jstor.org/stable/48631153.
  • [32] S. S. Wang, “Integrated framework for information security investment and cyber insurance,” Pacific-Basin Finance Journal, vol. 57, pp. 101173, 2019, doi: 10.1016/j.pacfin.2019.101173.
  • [33] Q. Xia, Q. Chen and S. Xu, “Near-ultrasound inaudible trojan (nuit): Exploiting your speaker to attack your microphone,” in Proc. 32nd USENIX Security Symp. (USENIX Security 23), Anaheim, CA, 2023, pp. 4589–4606. [Online]. Available: https://www.usenix.org/conference/usenixsecurity23/presentation/xia.
  • [34] C. Yan, X. Ji, K. Wang, Q. Jiang, Z. Jin and W. Xu, “A survey on voice assistant security: Attacks and countermeasures,” ACM Comput. Surv., vol. 55, no. 4, Art. no. 84, Apr. 2023, pp. 1–36, doi: 10.1145/3527153.
  • [35] J. S. Lloyd, C. G. Ludwikowski, C. Malik and C. Shen, "Mitigating inaudible ultrasound attacks on voice assistants with acoustic metamaterials," IEEE Access, vol. 11, pp. 36464-36470, 2023, doi: 10.1109/ACCESS.2023.3266722.
  • [36] F. Hall, L. Maglaras, T. Aivaliotis, L. Xagoraris and I. Kantzavelou, “Smart homes: Security challenges and privacy concerns,” in Proc. 2020 arXiv Preprint, Oct. 2020. [Online]. Available: https://arxiv.org/abs/2010.15394.
  • [37] Q. Yan, K. Liu, Q. Zhou, H. Guo and N. Zhang, “SurfingAttack: Interactive hidden attack on voice assistants using ultrasonic guided waves,” in Proc. Network and Distributed System Security Symposium (NDSS), 2020. doi: 10.14722/ndss.2020.24068.
  • [38] C. Bolton, S. Rampazzi, C. Li, A. Kwong, W. Xu and K. Fu, "Blue note: How intentional acoustic interference damages availability and integrity in hard disk drives and operating systems," in 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2018, pp. 1048-1062, doi: 10.1109/SP.2018.00050.
  • [39] A. Kwong, W. Xu and K. Fu, "Hard drive of hearing: Disks that eavesdrop with a synthesized microphone," in 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2019, pp. 905-919, doi: 10.1109/SP.2019.00008.
  • [40] S. Panda, Y. Liu, G. P. Hancke and U. M. Qureshi, “Behavioral acoustic emanations: Attack and verification of PIN entry using keypress sounds,” Sensors, vol. 20, no. 11, pp. 3015, Nov. 2020, doi: 10.3390/s20113015.
  • [41] X. Xu, Y. Liang, X. Zhang, Y. Wang, Y. Lin, B. Adebisi, H. Gacanin and G. Gui, “Self-evolving malware detection for cyber security using network traffic and incremental learning,” in Conference: 2022 9th International Conference on Dependable Systems and Their Applications (DSA), 2022, pp. 454–463, doi: 10.1109/DSA56465.2022.00066.
  • [42] H. Ahmetoglu and R. Das, “A comprehensive review on detection of cyber-attacks: Data sets, methods, challenges and future research directions,” Internet of Things, vol. 20, p. 100615, 2022, doi: 10.1016/j.iot.2022.100615.
  • [43] B. Akbulut, “The principle of legality in the law of misdemeanors and violation the measures taken due to Covid-19,” Journal of Penal Law and Criminology, vol. 9, no. 1, pp. 197–253, 2021. doi: 10.26650/JPLC2020-837085.
  • [44] R. Erbaş, “Organized crime-related legislation in the Turkish criminal law,” Ceza Hukuku ve Kriminoloji Dergisi, vol. 3, no. 1, pp. 275–311, Jun. 2015. [Online]. Available: https://dergipark.org.tr/tr/download/article-file/14682.
  • [45] Council of Europe. “Convention on Cybercrime.” rm.coe.int. https://rm.coe.int/prems-105223-gbr-2023-convention-cybercrimininalite-a5-web-4-/1680ae7118 (accessed October 10, 2024).
  • [46] IWM Cybersec. “Information Security Audit.” IWMCybersec.com. https://iwmcybersec.com/information-security-audit/ (accessed October 10, 2024).
  • [47] Z. Wang, L. Sun and H. Zhu, “Defining social engineering in cybersecurity,” IEEE Access, vol. 8, pp. 85094–85115, Aug. 2020, doi: 10.1109/ACCESS.2020.2992807.
There are 47 citations in total.

Details

Primary Language English
Subjects Digital Forensics, Data Security and Protection
Journal Section Review
Authors

Nursel Yalçın 0000-0002-0393-6408

Bilge Lale 0009-0005-1919-0929

Publication Date June 30, 2025
Submission Date December 13, 2024
Acceptance Date May 27, 2025
Published in Issue Year 2025 Issue: 061

Cite

IEEE N. Yalçın and B. Lale, “Types of cyber-attacks with using voice”, JSR-A, no. 061, pp. 137–165, June 2025.
 Download Cover Image