Because we don’t have enough concerns about our digital privacy these days, it seems Amazon’s Alexa and Google Home both gave thumbs up to apps that could be used to eavesdrop on users and phish for their passwords.
As reported by Ars Technica, whitehat hackers at Germany’s Security Research Labs developed four apps, called “smart spies,” for each device that passed muster with Amazon and Google’s respective vetting processes, meaning they were approved for public use.
SRLabs disguised these malicious apps as useful tools like horoscope apps and random number generators. They were even given vague, generic names like “Skills” (for Alexa) and “Actions” (on Google Home).
The researchers developed two kinds of apps, one for eavesdropping and another for phishing.
The eavesdropping apps work just fine, but here’s the scary part: After they share a message that makes it seem like they are no longer running, they still record everything a user says.
Here is the Alexa skill in action.
And the random number generator created for Google Home.
Pretty damn creepy, right? And cause for concern, especially given what we’ve learned in recent months about the conversations that Alexa, Google Assistant, and Apple’s Siri record. And while those companies have all sworn to improve their respective systems and offer opt-outs, it’s the phishing apps from SRLabs that are really disconcerting.
In each case, the digital assistant responds to a user request with an error message and seems to quit. But the malicious app is actually waiting for a few moments before claiming an update for the device is available. It then requests a password so it can install the update.
Smart, security conscious users should be alarmed by this, knowing you should never be asked for a password in this way. But, chances are, people who aren’t as tech savvy, like your relatives who believe everything they read on Facebook, might be fooled.
In a blog post, SRLabs shares some interesting tidbits about how they got the hacks to work. For instance, with the Alexa eavesdropping app, after it gives its false closing message, the app needs a trigger word to being recording again. It’s not that hard to pull off with a generic trigger word like, “I.”
But SRLabs reveals that the same hack for the Google Home is far easier to trigger: “For Google Home devices, the hack is more powerful: There is no need to specify certain trigger words and the hacker can monitor the user’s conversations infinitely.”
Again, this is incredibly alarming given that all of these apps were approved by moderation teams for both Amazon and Google. According to Ars Technica, the original four apps demoed in the videos above were taken down by SRLabs themselves while four similar, German-language apps were taken down only after SRLabs disclosed the vulnerabilities to both companies.
An Amazon rep told Ars Technica, “Customer trust is important to us, and we conduct security reviews as part of the skill certification process. We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified.”
Meanwhile, a Google rep told them, “All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future.”
We reached out to Amazon and Google for further comment on the report.
And, as always, trust no one.