2 min read

Alexa and Google Home devices can be exploited to eavesdrop on users, phish passwords

Graham CLULEY

October 21, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Alexa and Google Home devices can be exploited to eavesdrop on users, phish passwords

Many of us have given a home to voice-controlled speakers such as the Amazon Echo and Google Home, using them to control music, turn off the lights, or simply got a kick out of asking them silly questions.

But it hasn’t all been fun and games, with revelations that the digital assistants were routinel sending recordings to third-party subcontractors in an attempt to improve speech recognition performance – recordings that users expected to be private and confidential.

Now researchers at SRLabs have revealed just how easy it is for third-parties to exploit the so-called “smart” speakers that many home owners have purchased to eavesdrop on conversations and even steal passwords and credit card details.

The team at SRLabs in Germany uncovered two potential methods which can be used in a similar fashion against both Amazon Alexa and Google Home devices.

Both methods exploit the fact that after an initial review of newly-submitted Skills and Actions by third-party developers, both Amazon and Google fail to properly check for malicious behaviour when a developer issues an update.

Attack scenario one:

A seemingly innocent app is updated by its developers to pretend that it cannot run. In the video demonstration below, this is done by playing a fake error message

“This skill is currently not available in your country.”

before falling silent.

Typically a user would believe that the app is no longer running after hearing the message, but in reality it is still running, but has been programmed to be silent for a period of time (perhaps a minute or more).

Finally, the app plays a phishing message which requests sensitive information. For instance:

“An important security update is available for your device. Please say start update followed by your password.”

Amazon and Google’s digital assistants would never ask you to say your password out loud, of course, but it’s easy to imagine how some users might find this convincing.

Attack scenario two:

Researchers at SRLabs discovered that it was also possible to listen in to conversations within range of a digital assistant after users believed the app had stopped.

For instance, on a Google Home it was possible to create an app that constantly sent recognised speech to a server controlled by a hacker. According to SRLabs, this continues until there is at least a 30 second break of detected speech although it is possible to extend the eavesdropped period if required.

What the researchers at SR Labs demonstrate is something security and privacy advocates have been saying for some time: having a device in your home which can listen to your conversations introduces risks.

In particular it’s not a good idea if the devices are able to run third-party apps which have not been properly reviewed by the digital assistant’s manufacturers, or if insufficient vetting is undertaken when new versions of the apps are released.

Amazon and Google are making a serious error if they believe that a single check when an app is first submitted is enough to confirm that the app will always behave itself in future. More needs to be done to protect users of such devices from privacy-busting apps.

Remember – when you introduce a listening device into your home, you’re not only putting trust in the manufacturer but also the thousands of third-party developers who might have produced the apps that you run upon it.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

1 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read