01:36 - Source: CNNBusiness
Marriott CEO: Vaccinations are 'the key' to travel recovery
Now playing
01:36
Marriott CEO: Vaccinations are 'the key' to travel recovery
Nigerian former Foreign and Finance Minister Ngozi Okonjo-Iweala smiles during a press conference on July 15, 2020, in Geneva, following her hearing before World Trade Organization 164 member states' representatives, as part of the application process to head the WTO as Director General. (Photo by Fabrice COFFRINI / AFP) (Photo by FABRICE COFFRINI/AFP via Getty Images)
PHOTO: FABRICE COFFRINI/AFP/Getty Images
Nigerian former Foreign and Finance Minister Ngozi Okonjo-Iweala smiles during a press conference on July 15, 2020, in Geneva, following her hearing before World Trade Organization 164 member states' representatives, as part of the application process to head the WTO as Director General. (Photo by Fabrice COFFRINI / AFP) (Photo by FABRICE COFFRINI/AFP via Getty Images)
Now playing
04:05
WTO Chief: We need equitable and affordable access to vaccines
Goya Foods President Robert Unanue speaks at a press conference with Carlos Vecchio, the Venezuelan Ambassador who is recognized by the United States on December 21, 2020 in Doral, Florida. The two held the press conference to discuss details of a recent shipment of humanitarian aid to Venezuela, donated by Goya Foods. (Photo by Joe Raedle/Getty Images)
PHOTO: Joe Raedle/Getty Images
Goya Foods President Robert Unanue speaks at a press conference with Carlos Vecchio, the Venezuelan Ambassador who is recognized by the United States on December 21, 2020 in Doral, Florida. The two held the press conference to discuss details of a recent shipment of humanitarian aid to Venezuela, donated by Goya Foods. (Photo by Joe Raedle/Getty Images)
Now playing
03:24
Goya CEO under fire for false Trump election claims
Now playing
01:23
'There should be no threats': Biden's message to union-busters
Misinformation Trump Capitol March rn orig_00004630.png
Misinformation Trump Capitol March rn orig_00004630.png
Now playing
04:08
These Trump supporters are convinced he will be president again on March 4
PHOTO: CNN
Now playing
02:54
'Biggest trial of my life': Landlord says eviction moratorium has drained her savings
Now playing
01:36
Michael Bolton wants you to break up with Robinhood
Now playing
01:57
Fed chief downplays inflation concerns
Now playing
04:34
See what has happened to Trump's DC hotel after his loss
Now playing
01:41
Meet the 29-year-old cancer survivor set to make history in space
WASHINGTON, DC - JANUARY 15: MyPillow CEO Mike Lindell waits outside the West Wing of the White House before entering on January 15, 2021 in Washington, DC. (Photo by Drew Angerer/Getty Images)
PHOTO: Drew Angerer/Getty Images
WASHINGTON, DC - JANUARY 15: MyPillow CEO Mike Lindell waits outside the West Wing of the White House before entering on January 15, 2021 in Washington, DC. (Photo by Drew Angerer/Getty Images)
Now playing
00:39
MyPillow and its CEO Mike Lindell sued by Dominion
Bill Gates AC intv 022021
PHOTO: CNN
Bill Gates AC intv 022021
Now playing
02:32
Will Bill Gates go back to shaking hands? Hear his thoughts
02 Bill Gates AC intv 02202021
PHOTO: CNN
02 Bill Gates AC intv 02202021
Now playing
02:13
Bill Gates optimistic about climate policy under Biden WH
Now playing
05:37
Texas mayor: We were not prepared
Now playing
03:05
Watch lawmakers grill Robinhood's CEO
(CNN Business) —  

Usually you have to talk to voice assistants to get them to do what you want. But a group of researchers determined they can also command them by shining a laser at smart speakers and other gadgets that house virtual helpers such as Amazon’s Alexa, Apple’s Siri and Google’s Assistant.

Researchers at the University of Michigan and Japan’s University of Electro-Communications figured out they could do this silently and from hundreds of feet away, as long as they had a line of sight to the smart gadget. The finding could enable anyone (with motivation and a few hundred dollars’ worth of electronics) to attack a smart speaker from outside your house, making it do anything from playing music to opening a smart garage door to buying you stuff on Amazon.

A Google Home smart speaker photographed on a kitchen counter, taken on January 9, 2019. (Photo by Olly Curtis/Future via Getty Images)
PHOTO: Olly Curtis/Future/Getty Images
A Google Home smart speaker photographed on a kitchen counter, taken on January 9, 2019. (Photo by Olly Curtis/Future via Getty Images)

In a new paper, the researchers explained that they were able to shine a light that had a command encoded in it (such as “OK Google, open the garage door”) at a microphone built into a smart speaker. The sounds of each command were encoded in the intensity of a light beam, Daniel Genkin, a paper coauthor and assistant professor at the University of Michigan, told CNN Business on Monday. The light would hit the diaphragm built into the smart speaker’s microphone, causing it to vibrate in the same way as if someone had spoken that command.

The researchers exploited the vulnerability in tests to do things like trigger a smart garage door opener and ask what time it is.

A list of devices that the researchers tested and said are vulnerable to such light commands includes Google Home, Google Nest Cam IQ, multiple Amazon Echo, Echo Dot, and Echo Show devices, Facebook’s Portal Mini, the iPhone XR, and the sixth-generation iPad. Smart speakers typically don’t come with any user authentication features turned on by default; the Apple devices are among a few exceptions that required the researchers to come up with a way to work around this privacy setting.

The findings could concern consumers, as well as the companies that offer voice assistants. Over the past five years, the market for assistant-using smart speakers — Amazon’s Alexa and its Echo smart speakers in particular — has ballooned. According to data from tech market researcher Canalys, companies shipped 26.1 million smart speakers in the second quarter. Amazon is sitting on top of this market: Canalys reports Amazon shipped a quarter of these speakers, or an estimated 6.6 million between April and June.

The cost for anyone to do likewise could be less than $400: On a website related to the work, researchers outline the equipment needed, which includes an under-$20 laser pointer, a $339 laser driver, and a $28 sound amplifier.

“If you have a laser that can shine through windows and across long distances — without even alerting anyone in the house that you’re hitting the smart speaker — there’s a big threat in being able to do things a smart speaker can do without permission of the owner,” said Benjamin Cyr, a graduate student at the University of Michigan and a paper coauthor.

Researchers said the Google Home device and first-generation Echo Plus could be commanded over the longest distance: 110 meters (about 361 feet). The researchers said that distance was the longest area they could use (a hallway) when conducting tests.

The researchers noted that they haven’t seen this security issue being taken advantage of. One way to avoid any potential issues, though, is to make sure your smart speaker can’t be seen by anyone outside your home.

Researchers said the weakness can’t truly be fixed without redesigning the microphones, known as MEMS microphones, that are built into these devices, however, which would be a lot more complicated. Takeshi Sugawara, a visiting scholar at the University of Michigan and the paper’s lead author, said one way to do this would be to create an obstacle that would block a straight line of sight to the microphone’s diaphragm.

Gekin said he contacted Google, Apple, Amazon and other companies to address the security issue.

Spokespeople for Google and Amazon said their companies are reviewing the research. Apple declined to comment.