Threat from Windshield: Vehicle Windows as Involuntary Attack Sources on Automotive Voice Assistants

As automotive voice assistants (AVAs) become increasingly cen- tral to modern vehicles, their vulnerability to attacks exploiting inaudible sounds should raise security concerns. However, such concerns are often deemed low priority, because it is widely be- lieved that an attacker to AVAs should be strategically positioned inside the concerned vehicle for two main reasons: i) inaudible signals can barely penetrate vehicle hulls and ii) a line-of-sight (LoS) path is needed between the attacker (sound source) and the AVA's microphone. In this paper, we disprove this common belief by proposing ShieldSpear to launch AVA attacks outside vehicle hulls. ShieldSpear exploits a tiny piezo-element placed on the exterior of the windshield to convert it into both a speaker and microphone. While this setting naturally brings the attacking sound source into a vehicle, strategically placing this compactly integrated element may further yield i) covertness (blended into stickers), ii) LoS path to AVA's microphones, and iii) real-time attacking capability dur- ing vehicle motion. To maintain sufficient volume while evading detection, we design novel hardware and signal carriers for deliver- ing attack (voice) commands. Moreover, ShieldSpear leverages the windshield-converted microphone to acquire drivers' voiceprint so as to accurately emulate it in the faked commands. Extensive experiments involving five mainstream vehicles have demonstrated the effectiveness of ShieldSpear by a 90.9% end-to-end success rate in injecting faked voice commands into AVAs.