Amazon Echo speaker

Researchers: Google and Amazon Smart Speakers Are Vulnerable to Phishing, Eavesdropping Hacks

A group of security researchers found that applications for Google Home and Alexa could be used to obtain passwords and overhear conversations from unsuspecting users.

Seemingly harmless applications for Google Home and Amazon Echo smart speakers can be used to eavesdrop on unsuspecting users, security researchers with SRLabs have discovered

Both speaker systems allow third-party developers to submit software that creates additional commands for customers, referred to as Google Actions and Alexa Skills. Google and Amazon review the software before it is released to the public, but the SRLabs team was able to get around that process by submitting updates to previously approved apps. 

Through its video series, SRLabs shows how hackers could take advantage of flaws in voice assistants to continue listening to a user for an extended period of time or even prompt them to hand over their password. The researchers gave Alexa and Google Home a series of characters it could not pronounce, which keeps the speaker silent but listening for further commands from the user. 

“It was always clear that those voice assistants have privacy implications—with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes," Fabian Bräunlein, senior security consultant at SRLabs, told ArsTechnica. "We now show that, not only the manufacturers, but... also hackers can abuse those voice assistants to intrude on someone's privacy."

In addition, the researchers found vulnerabilities that made it simple to generate a fake error message that then prompts the user to enter their password. The phishing hack is hidden within software that allows a speaker to ask for “today’s lucky horoscope.” 

There have been no reports that the security vulnerabilities have been used outside of the research. Prior to publishing its series on the issue, SRLabs turned over their research to Google and Amazon, both of which say they have taken steps to address the problems with the smart speakers. 

Google told Ars Technica it is undertaking an internal review of third-party software and has temporarily disabled some apps during the review. Both companies took down the apps posted by SRLabs. 

Tim Erlin, the vice president of product management and strategy at Tripwire, said that outside developers have the ability to script conversations deployed to hundreds or thousands of users with less oversight than official Google or Alexa apps. 

“Apps like these, especially those that mimic the built-in virtual assistants, exploit the inherent trust consumers place in the major platform vendors,” Erlin said. “We’re surrounded nearly 24/7 by devices with the capability to eavesdrop. It should be no surprise that such a broad target surface is attractive to attackers.”

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

Featured Cybersecurity

Webinars

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3