Amazon Echo speaker

Researchers: Google and Amazon Smart Speakers Are Vulnerable to Phishing, Eavesdropping Hacks

A group of security researchers found that applications for Google Home and Alexa could be used to obtain passwords and overhear conversations from unsuspecting users.

Seemingly harmless applications for Google Home and Amazon Echo smart speakers can be used to eavesdrop on unsuspecting users, security researchers with SRLabs have discovered

Both speaker systems allow third-party developers to submit software that creates additional commands for customers, referred to as Google Actions and Alexa Skills. Google and Amazon review the software before it is released to the public, but the SRLabs team was able to get around that process by submitting updates to previously approved apps. 

Through its video series, SRLabs shows how hackers could take advantage of flaws in voice assistants to continue listening to a user for an extended period of time or even prompt them to hand over their password. The researchers gave Alexa and Google Home a series of characters it could not pronounce, which keeps the speaker silent but listening for further commands from the user. 

“It was always clear that those voice assistants have privacy implications—with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes," Fabian Bräunlein, senior security consultant at SRLabs, told ArsTechnica. "We now show that, not only the manufacturers, but... also hackers can abuse those voice assistants to intrude on someone's privacy."

In addition, the researchers found vulnerabilities that made it simple to generate a fake error message that then prompts the user to enter their password. The phishing hack is hidden within software that allows a speaker to ask for “today’s lucky horoscope.” 

There have been no reports that the security vulnerabilities have been used outside of the research. Prior to publishing its series on the issue, SRLabs turned over their research to Google and Amazon, both of which say they have taken steps to address the problems with the smart speakers. 

Google told Ars Technica it is undertaking an internal review of third-party software and has temporarily disabled some apps during the review. Both companies took down the apps posted by SRLabs. 

Tim Erlin, the vice president of product management and strategy at Tripwire, said that outside developers have the ability to script conversations deployed to hundreds or thousands of users with less oversight than official Google or Alexa apps. 

“Apps like these, especially those that mimic the built-in virtual assistants, exploit the inherent trust consumers place in the major platform vendors,” Erlin said. “We’re surrounded nearly 24/7 by devices with the capability to eavesdrop. It should be no surprise that such a broad target surface is attractive to attackers.”

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

Featured Cybersecurity

Webinars

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3