Posted On 21 Nov 2019
Smart speakers such as Google Home or Amazon Echo are unquestionably handy in the home, but concerns are being raised that their security could use a little boost.
Such concerns have been around since the speakers were first introduced, and Security Research Labs, based in Berlin, have been investigating claims that the devices can be employed for eavesdropping on users or harvesting personal information.
The researchers have demonstrated that it is indeed possible to use different applications to undertake attacks on users through these devices and they have shown the ways in which hackers can circumvent the security processes put in place by Google and Amazon.
One of the attacks sends fake update alerts to users in order to gain their password. This attack uses the fact that having approved an app, neither Google nor Amazon require further approval even if the nature of the app changes.
Having had an app approved, the researchers changed it so that when users attempted to access it through the speakers, they were told that it was not working. The app would then go silent, making users believe that it was turned off and the device was no longer working. The app then imitates the Google or Alexa user voice, saying that a software update is available and encouraging users to speak out a password to download it.
The same ability to change an approved app without needing further approval is used in an even more insidious manner in another attack.
The fake app stays open when the user thinks it is been shut down, and listens out for trigger words such as “I”; when it hears them it starts sending everything the user says to the attackers, so they can not only hear private conversations but all fresh instructions issued to the device, raising the potential for intervention attacks, e.g. pretending to be the user’s bank and accessing financial details by doing so.
The researchers have passed on their findings to both Google and Amazon, with the recommendation that the approval process for apps should be tightened up.
It is also recommended that both companies should check for companies using secret characters in their apps that can trigger eavesdropping, and that any app which mentions the word “password” should be banned, as no app should need to request a password through a speaker.
In the meantime, it is recommended that caution should be applied when using these devices and that under no circumstances should users speak their passwords into them.