Over the holidays, Destin Sandlin from SmarterEveryDay released a video demonstrating how many popular smart home devices (like Google Home, Amazon Echo, and even Siri) can be fed voice commands from afar with a laser. If you haven't seen it yet, go give it a watch — it's a fascinating video. Importantly, as Destin points out, this exploit likely doesn’t present much risk to the average consumer — precisely aiming finely-tuned lasers, converting a voice message into the correct beam sequence, and having proper line of sight to the target device’s MEMS microphone all present roadblocks that make this strategy pretty impractical. That being said, understanding what access your smart assistants have to your light switches, locks, and garage doors — and how secure those assistants are — is important information you should equip yourself with. So, let’s see what options we protect Siri and your iPhone from attacks like this one, as well as others.
Disabling “Hey Siri” (or Siri Entirely)
The way the laser exploit in Destin’s video works is by targeting the MEMS microphone that listens for the “Hey Siri” summon phrase and the subsequent command. Naturally, the easiest way to prevent this laser hack — or just prevent someone with a similar-enough voice from activating Siri — is disabling “Hey Siri” entirely. This means you’ll have to long-press the side button to activate Siri manually, but nothing less than physical access to your device will allow someone to trick Siri into unlocking your doors. Navigate to Settings > Siri & Search and turn the "Listen for Hey Siri" toggle off. Now, even a precisely aimed laser with encoded voice instructions aimed at your phone won't be able to trigger any action by Siri. If you are extra concerned about someone misusing Siri (despite it's many useful features), you can also disable it entirely by toggling off both "Hey Siri" and "Press Side Button for Siri".
Limiting Access to Your Locked Device
Siri already restricts certain actions and requests if your phone is not unlocked — for instance, asking “Where is my wife?” to find their location using Find My always requires your iPhone to be unlocked. As Destin found out in his video, unlocking a smart lock or opening a garage door also requires your iPhone to be unlocked — the operating system understands that access to a physical location is being requested, so it rightly asks for some authentication.
When it comes to less sensitive requests (like turning on a smart lightbulb), Siri is more lax by default. Luckily, some granular control exists if you’re worried about covert efforts to dim your lights. If you navigate to the “Face ID & Passcode” page in Settings, there is a section called "Allow Access When Locked" with various toggles for different tools and features. As you might guess, toggling any one of these off means that feature cannot be accessed while the phone is locked. If you toggle "Home Control" off, voice commands involving smart home devices will require you to set up a HomeKit pin to control the devices with Siri — that is, unless you unlock your phone. Disabling HomeKit access from the lock screen prevents malicious actors equipped with either laser beams or good vocal impression skills from adjusting your thermostat without permission.
(While you're flipping these toggles anyway, consider securing your device further by turning off USB Accessory access.)