HACKERS were able to abuse Amazon Alexa and Google Home smart speakers to eavesdrop on users’ conversations.
The dodgy exploit also allowed cyber-boffins to trick users into handing over sensitive info.
It raises huge concerns for the safety of millions of users who place their trust in smart digital assistants.
Cyber-experts at Security Research Labs revealed that these attacks have been possible for at least a year.
And they told ZDNet that Amazon and Google were warned about them “several months ago”.
The hack involves getting users to install rogue Skills, which are like voice-driven apps that you can install for your Alexa.
When you use Skills, the Skill provider gets the contents of your requests.
Hackers found that by adding a character (U+D801, dot, space) to locations inside the back-end of an app, they could artificially create long periods of silence.
During this silence, the assistant would remain active.
Then, an app could tell a user that the request has failed, insert the rogue character to start a long pause, and then output a phishing message later on.
This would trick the target into believing that the phishing message had nothing to do with the app.
“A horoscope app triggers an error, but then remains active,” researchers explained in one example.
“And eventually asks the user for their Amazon/Google password while faking an update message from Amazon/Google itself.”
The blue light remains on, showing that the speaker is still active and interpreting the rogue characters – but it may be missed by a user.
“Interactive voice systems that can be programmed by third-party developers provide a new avenue for social engineering,” said Tim Erlin, a cyber-expert at Tripwire.
“Developers can script conversations that are deployed to hundreds or thousands of users through an app.
“Apps like these, especially those that mimic the built-in virtual assistants, exploit the inherent trust consumers place in the major platform vendors.
At this point, consumers have devices that record audio, and often video, in their pockets and homes.
“We’re surrounded nearly 24/7 by devices with the capability to eavesdrop. It should be no surprise that such a broad target surface is attractive to attackers.”
This dodgy character could also be used for eavesdropping attacks.
The character sequence kicks in after a rogue app has responded to a user’s command.
It then keeps the device artificially active, recording your conversations, and logging them on an attacker’s computer.
Both attacks exploit Amazon and Google verification systems, which vet Skill/Action submissions – not not updates.
How to avoid hack attacks like this
Here's the official advice from Synopsys cyber-expert Boris Cipot…
- If you use smart assistants always be suspicious of any skill or app you install and use, much like you probably already do with mobile app downloads
- Do not provide any personal information like usernames or passwords without a good reason, and always check twice before doing so
- Even though home assistants and Internet of Things devices in general are transforming our homes into smart homes, these devices are still in their early days
- Unfortunately, this means that their security stance is still rather immature
- Don’t assume that your data is safe and secure using these devices – as a false sense of security is often what leads individuals into being scammed
“Customer trust is important to us, and we conduct security reviews as part of the skill certification process,” an Amazon spokesperson told The Sun.
“We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behaviour and reject or take them down when identified.”
According to Amazon, there are systems in place to detect when Skills are trying to engage with you after you’ve said stop – or if a Skill asks for a password.
Amazon confirmed that this exploit no longer works on its own systems.
And as always, the visual indicator (in Amazon’s case, a blue ring), indicates that audio is still streaming.
“All Actions on Google are required to our developer policies, and we prohibit and remove any Action that violates these policies,” a Google spokesperson told The Sun.
“We have review processes to detect the type of behaviour described in this report, and we removed the Actions that we found from these researchers.
“We are putting additional mechanisms in place to prevent these issues from occurring in the future.”
It’s not clear if any users were impacted by the bug, but no reports have been made so far.
Also, users would need to have downloaded a rogue app for this hack to work.
MOST READ IN TECH
In other news, Amazon recently unveiled a Kindle Kids Edition with parental controls.
Amazon has launched a new programme to help young people build careers in computer science.
And the firm also recently launched Alexa glasses, an Alexa ring, a smart oven and a new Samuel L Jackson voice for your Echo speaker.
Do you trust Amazon and Google to protect your privacy? Let us know in the comments!
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at firstname.lastname@example.org