We knew Google and Amazon listen to their users through their voice-activated Echo and Home smart speakers. However, a group of security researchers have now demonstrated how third-party apps can easily eavesdrop on users and voice-phish sensitive information like passwords.
Researchers at Germany’s SRLabs found two hacking scenarios — eavesdropping and phishing — for both Amazon Alexa and Google Home/Nest devices. They created eight voice apps (Skills for Alexa and Actions for Google Home) to demonstrate the hacks that turns these smart speakers into smart spies. The malicious voice apps created by SRLabs easily passed through Amazon and Google’s individual screening processes.
Different approaches were used to eavesdrop on Amazon Alexa and Google Home users and to phish information from them. The researchers were able to change the functionality of the skills and Actions they created for hacking after Amazon and Google approved the apps. There was no second round of reviews prompted after the said changes were made.
Voice phishing passwords on Amazon Echo and Google Home speakers
In the video below, you see how a users asks Alexa to start a skill called My Lucky Horoscope. This is a malicious Alexa skill created and modified by SRLabs to phish for passwords.
The app does not give out a welcome message and instead, replies saying, “This skill is currently not available in your country.” At this point, a user would assume the app has stopped listening, but it really hasn’t. Instead, the skill has been hacked to say a character sequence which Alexa cannot pronounce, hence the speaker remains silent when it’s actually paused and listening.
The skill then plays a phishing message saying, “A new update is available for your Alexa device. Please say start followed by your password.” While Amazon never asks for passwords in this manner, users who are unaware can be caught off guard.
A similar approach was used for voice-phishing passwords on a Google Home Mini speaker.
Eavesdropping on users through Amazon Echo and Google Home speakers
For eavesdropping, the researchers used the same horoscope app for Amazon’s smart speaker. The app tricks the user into believing that it has been stopped while it silently listens in the background.
For Google Home, the hack was even easier and there was no need to specify trigger words in order to eavesdrop. The researchers note that in this case, the user is put in a loop as “the device constantly sends voice inputs to the hacker’s server while outputting short silences in between.”
SRLabs has taken down all the apps that are demoed in the above shown videos. The researchers also reported their findings to Amazon and Google.
As per Ars Technica, both companies responded by saying that they are changing their approval processes and adopting additional mechanisms to avoid such hacks in the future.
However, there is no update from either Amazon or Google to say by when these issues will be fixed. There’s also no way of knowing if a skill or action misused these loopholes in the past.