Because we don't have ???? ???enough concerns about our digital privacy these days, it seems Amazon's Alexa and Google Home both gave thumbs up to apps that could be used to eavesdrop on users and phish for their passwords.
As reported by Ars Technica, whitehat hackers at Germany's Security Research Labs developed four apps, called "smart spies," for each device that passed muster with Amazon and Google's respective vetting processes, meaning they were approved for public use.
SRLabs disguised these malicious apps as useful tools like horoscope apps and random number generators. They were even given vague, generic names like "Skills" (for Alexa) and "Actions" (on Google Home).
The researchers developed two kinds of apps, one for eavesdropping and another for phishing.
The eavesdropping apps work just fine, but here's the scary part: After they share a message that makes it seem like they are no longer running, they still record everything a user says.
Here is the Alexa skill in action.
And the random number generator created for Google Home.
Pretty damn creepy, right? And cause for concern, especially given what we've learned in recent months about the conversations that Alexa, Google Assistant, and Apple's Siri record. And while those companies have all sworn to improve their respective systems and offer opt-outs, it's the phishing apps from SRLabs that are reallydisconcerting.
In each case, the digital assistant responds to a user request with an error message and seems to quit. But the malicious app is actually waiting for a few moments before claiming an update for the device is available. It then requests a password so it can install the update.
Smart, security conscious users should be alarmed by this, knowing you should never be asked for a password in this way. But, chances are, people who aren't as tech savvy, like your relatives who believe everything they read on Facebook, might be fooled.
In a blog post, SRLabs shares some interesting tidbits about how they got the hacks to work. For instance, with the Alexa eavesdropping app, after it gives its false closing message, the app needs a trigger word to being recording again. It's not that hard to pull off with a generic trigger word like, "I."
But SRLabs reveals that the same hack for the Google Home is far easier to trigger: "For Google Home devices, the hack is more powerful: There is no need to specify certain trigger words and the hacker can monitor the user’s conversations infinitely."
Again, this is incredibly alarming given that all of these apps were approved by moderation teams for both Amazon and Google. According to Ars Technica, the original four apps demoed in the videos above were taken down by SRLabs themselves while four similar, German-language apps were taken down only afterSRLabs disclosed the vulnerabilities to both companies.
SEE ALSO: A fake Amazon Alexa app somehow got into the iOS App StoreAn Amazon rep told Ars Technica, "Customer trust is important to us, and we conduct security reviews as part of the skill certification process. We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified."
Meanwhile, a Google rep told them, "All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future."
We reached out to Amazon and Google for further comment on the report.
And, as always, trust no one.
Topics Amazon Alexa Cybersecurity Google Assistant Google Home
Murder Suspect Dies in Custody
Elon Musk is now the official 'Technoking' of Tesla, whatever that means
New Twitter survey asks about how rules should apply to world leaders
Rivian to build exclusive fast charging network, similar to Tesla Superchargers
Aizumi Named to Biden Foundation Advisory Council on LGBTQ Equality
GoPro will finally let you control your camera and edit videos in one app
'How To with John Wilson' and coping with the pandemic anniversary
There probably won't be a new Samsung Galaxy Note this year
Man Charged with Stabbing Murder of His 92
What happens when we get everyone online and close the digital divide?
‘Wall That Heals’ to Be Displayed in Gardena
Apple discontinues two more iMac desktop configurations
SXSW beat the pandemic by building Austin in VR for festival attendees
Facebook will stop recommending Groups that break its rules
Muratsuchi, Calderon Announce Bill Establishing Surfing as Official State Sport
A complete ranking of all 8 'Leprechaun' horror movies
Huawei P50's camera bump looks absolutely ridiculous (according to renders)
Wikipedia wants to charge Google, Amazon, and Apple for using its content
Kurt Ikeda Named OCA GLA Interim Executive Director
'Avatar' passes 'Avengers: Endgame' for box office record
Best Black Friday PS5 controller deal: Save $20 on DualSense wireless controllerWhat's new to streaming this week? (Nov. 22. 2024)One More Page 3 campaign highlights breast cancer awarenessBest Black Friday TV deal: Save $170 on Amazon Fire TVBest Black Friday TV deal: Save $170 on Amazon Fire TVBest Black Friday PS5 headset deal: Save $20 on Pulse Elite wireless headset'Scattered Spider' scammers charged in sophisticated, millionBest Black Friday PS5 controller deal: Save $20 on DualSense wireless controllerYouTuber MrBeast goes pro with Charlotte Hornets jersey sponsorshipNYT Connections hints and answers for November 22: Tips to solve 'Connections' #530. Why a mighty Antarctic glacier started purging more ice into the sea Darnella Frazier won a Pulitzer for her video of George Floyd's murder How to connect your laptop to your TV Kevin Hart's 'Fatherhood' is bland but sweet: Movie review OnePlus to become a sub 'Loki' episode 3 slows down to lay some sneaky groundwork Disney orders Gaston from 'Beauty and the Beast' miniseries 'Love, Victor' did the "best friend's little sister" trope right China's Zhurong rover takes an adorable group selfie on Mars Google Doodle commemorates Juneteenth with illustrations of Black joy
0.1341s , 9859.59375 kb
Copyright © 2025 Powered by 【???? ???】Creepiest Alexa and Google Assistant security fail yet,Feature Flash
