Alexa and Google Home vulnerability allows eavesdropping and phishing
Experts from Security Research Labs (SRLabs) have uncovered a new security vulnerability in Google's and Amazon's smart speakers. Not only were they able to listen in on conversations, they were also able to reveal passwords.
Disguised as an innocent upload of a simple Alexa skill or Google Action, malware can silently record conversations or even ask for passwords. This was demonstrated by security researchers at SRLabs using third-party software. The demonstration was not only intended as a call to Google and Amazon to revise their third-party requirements, but also to users to remove third-party software from their devices if they are not using them.
Watch out for third-party programmes
There is no evidence that this vulnerability has already been exploited. The SRLabs researchers forwarded their findings to Google and Amazon before going public with them. The Security Research Labs have published instructions on how to exploit the vulnerability in Google Home and Amazon's Alexa on their website.
Third-party software is thoroughly checked by both Google and Amazon before it is approved and then made available on the smart speakers. ZDNet writes, however, that the two tech giants do not check updates to approved third-party software. Therefore, the security researchers managed to smuggle malicious code into their previously approved software, which can then get onto any user's speaker.
A clever trick makes it possible
In four videos, the SRLabs team explains how the hacks work. In one Google hack, the whole thing runs via a Google action that generates a random number. The action executes this exact command and gives the user a random number. However, the software then continues to listen in, even if the original command sequence has already been completed. With Alexa, the trick works with a horoscope app that reads out what good and bad things are in store for your star sign today. This software can override the user's stop command and listen in and write silently. Other videos show how false error messages are used to ask for the user's password.
In all four cases, the SRLabs team managed to listen in even though a stop command was given or the action should have ended long ago. The security researchers achieved this by feeding the voice assistants with characters that they could not pronounce. As a result, the assistant says nothing - because it cannot pronounce these special characters - but continues to listen. The user does not notice this, as there is no feedback from the voice assistant and the command appears to be completed. Everything the user says from then on can be recorded and forwarded directly to a hacker.
A never-ending story
According to Ars Technica, Amazon has already reacted and introduced new measures to prevent third-party skills from listening in or even asking for passwords in future. As soon as such behaviour occurs with a skill, it will be removed. When asked by Ars Technica, Google said that it had review processes in place that would immediately uncover such behaviour and immediately removed the actions programmed by SRLabs. In addition, an internal review of all third-party actions is underway and certain add-ons have already been deactivated.
It's nothing new and not the first time that Amazon's Alexa or Google Home have had problems with eavesdropping or phishing. What's worrying about this story, however, is the fact that new vulnerabilities keep popping up, even though privacy has always been the biggest point of contention with smart speakers. If you already have doubts about the assistants themselves, then you should stay away from untrustworthy third-party software suppliers.
Do the same with smart speakers and third-party software as you would with guests in your home: only let in those you trust. And if you don't want to miss any more smart speaker, smart home or other tech news and trends, then follow me by clicking on the "Follow" button on the author profile. <p
When I'm not stuffing my face with sweets, you'll catch me running around in the gym hall. I’m a passionate floorball player and coach. On rainy days, I tinker with my homebuilt PCs, robots or other gadgets. Music is always my trusted companion. I also enjoy tackling hilly terrain on my road bike and criss-crossing the country on my cross-country skis.