Amazon Echo and Google Home smart speakers can be used to eavesdropping and phishing attack. Hackers are exploiting the smart speakers to turn them into smart spies by adding some codes via third-party apps.
As per a report by Security Research Labs, Amazon Alexa and Google Home are prone to phishing and eavesdropping. The third-party apps known as Skills for Alexa and Actions for Google Home, allows hackers to extract sensitive information and eavesdrop on users. People at SRL demonstrated the vulnerabilities with a video and also revealed that it is quite easy to trick users into giving up sensitive information such as passwords and other important details.
The report added with simple tricks hackers can easily collect personal data and eavesdrop on users after they believe the smart speaker has stopped listening. The researchers revealed that one can make a simple voice App on both platforms. Although Google and Amazon review the security of the voice app before it is published, one can easily change the functionality after the review is done. Hackers can change a welcome message with a fake error message like “This skill is currently not available in your country.”
The report further highlights that one can then add an arbitrary long audio pause after the fake error message by entering a character sequence “�” (U+D801, dot, space). Since the sequence is unpronounceable, the speaker remains silent while being active. This makes the user believes that the app has stopped working. Furthermore, hackers can get sensitive information like a Password with a phishing message like “An important security update is available for your device. Please say start update followed by your password.” Hackers might also ask for more information like linked account or more, thus allowing hackers to take control of Amazon or Google account.
Similarly, hackers can also eavesdrop on users using a similar technique and get the full transcript of user’s conversations on their server, until there is at least a 30-second break of detected speech.
“Alexa and Google Home are powerful, and often useful, listening devices in private environments. The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood. Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone,” the report concluded.