Hackers Employed Google Home and Amazon Alexa to Eavesdrop and Record Passwords

Start a discussion on the privacy implications of owning a smart speaker like Amazon's Alexa or Google's Home, and you are likely to see two well-defined groups of people form almost immediately. The first one will argue that smart speakers are basically internet-connected wiretaps which can be used for spying on us and should, therefore, be kept as far away from our homes as possible. The other group will tell the skeptics to put their tinfoil hats away and enjoy the convenience of high-tech Internet of Things (IoT) gadgets.

The fact that Amazon and Google have sold millions of home assistant devices shows that there are more smart speaker fans than opponents. Amazon Alexa and Google Home owners might want to be a bit more careful with their optimism, however, because a couple of days ago, experts from SRLabs published a report which shows that in this particular case, the conspiracy theories might not be that far-fetched.

Out of the box, smart speakers come with quite a few useful features, especially if you connect them to other IoT devices. The home assistants' functionality can be extended further with the help of third-party apps (or skills), however, and as you might have guessed already, SRLabs' researchers found not one, but two ways of abusing these third-party applications.

Malicious smart speaker skills can steal users’ login credentials

The first of the two attacks starts with the user asking Alexa or Google Home to fetch their horoscope using a skill developed by the researchers. Instead of reading the horoscope, however, the app returns an error message saying that the service is not available in this country. After about a minute of silence, the smart speaker suddenly announces that a security update is available and that installing it requires the user's password.

In reality, there is no update, and the whole operation is designed to steal people's login credentials. After the error message, the malicious horoscope application feeds the smart speaker's text-to-speech engine with an unpronounceable string of characters – "�. " (U+D801, dot, and a space) which keeps the assistant silent for a preset period of time. This is done to trick people into thinking that the application has closed, which is essential if they are going to believe that an update really is pending. From then on, the success of the phishing attack is dependent on whether or not the user is oblivious to the fact that a smart speaker would never ask for a password in such a fashion. In SRLabs' second attack, the user's understanding of how these devices work plays a smaller part.

Smart speakers can be turned into wiretaps

In this case, the strategy for Amazon Alexa and Google Home was slightly different, but the goal was identical – stealthily eavesdropping on users.

For Alexa, the researchers developed another Horoscope app that can actually read the horoscope. The attacker hopes that halfway through the explanation of Mercury's influence over our personal lives, the user grows tired and issues a "Stop" command. The app seemingly complies, and Alexa even says "Goodbye". As you may have guessed, however, the app hasn't actually closed. Using the same unpronounceable string (�. ), the researchers silence the smart speaker, and the malicious horoscope app is waiting to hear any recognizable speech. Everything it records is sent to the attacker.

With Google Home, SRLabs put together a random number generator application that did what was expected of it. After generating the number, the app also says "Goodbye", and the user is tricked into thinking that it has closed. In reality, the session remains open, and the app waits to see if anything will be said during a preset period of time. If it does hear something, it records it and sends it to the attacker. Worryingly, the researchers said that under the right circumstances, the eavesdropping period can be extended indefinitely.

Google and Amazon haven’t done enough to vet smart speaker apps

SRLabs's intention wasn't to just show everyone how they can be phished and spied upon in theory. They wanted to see how practical these attacks could be, which is why the horoscope and random number generator skills actually appeared on Google and Amazon's app stores.

They did go through a check before they were published, but the researchers realized that once the apps were out there, Google and Amazon do nothing to review the new features and updates. SRLabs initially published apps that were completely benign and later added the malicious components without any issues.

Both Amazon and Google have promised that their vetting processes will be updated, and we can only hope that this is indeed the case because it's quite clear that third-party software isn't reviewed as well as it should be, especially considering the fact that the devices it's operating have microphones that are around us in what should be the privacy of our own homes.