Alexa and Google Home: new loopholes exploited by pirates to listen to you

Alexa and Google Home: new loopholes exploited by pirates to listen to you

Security researchers have discovered that it's possible to spy on conversations by adding code to Amazon's and Google's connected speaker applications. This is a form of voice phishing to force users to give confidential information such as a password or an email address, but also to record them without their knowledge.

As Kaspersky explained last week, hackers are heavily attacking connected objects, and speakers marketed by Amazon and Google are not immune to these cyber attacks. Security researchers from Security Research Labs (SRLabs) reveal that hackers have the ability to activate the microphone of the speakers without the users' knowledge. Which means they can listen and record conversations. They are also able to recover the password ...

This is not the first time that the Echo and Google Home speakers are the target of hackers, but this time, the attacks are like phishing, and as it is a scam by the voice, it is called it's "vishing". In their demonstration, the researchers created a third-party application called Skills at Alexa. In the first case, it is a question of asking for the password of the user, and for that, the hackers use an update of their application. In fact, Amazon and Google check the security of an app before it is released, but they do not check for updates after that.

Feign a bug to force the user to give his password

Hackers can insert malicious code into an update without being spotted. They integrate a false error message instead of the welcome message, available at launch: "This skill is currently not available in your country. The user then thinks that the application no longer works because it is not available. Except that the microphone remains activated, without the knowledge of the user. Then, after a while, the phishing message is pronounced: "A significant security update is available for your device. Please signify the start of the update followed by your password. "

As soon as the user says "start", to start the update, all the following is sent to the hackers ... and therefore the password. The researchers explain that it is perfectly possible to request an email address, in addition to the password.

The phishing demonstration with an Amazon speaker. © SRLabs

On Google Home, spying can be unlimited

The other method is to pretend that the speaker is off, while the microphone continues to record. For devices that work with Alexa, voice recording is started when the user pronounces certain words imposed by the developer of a skill. This allows you to choose common words to launch functions. The experts discovered that it was possible to add an unpronounceable sequence of characters to a voice command. Like for example, "bye" or "goodbye". The user thinks to close the application, and therefore the microphone, except that the addition of a sequence of unpronounceable characters ( ), by the hacker, allows to extend the session. It's as if the hacker has added a dumb "e" behind "bye". The user thinks to close the application, but the microphone remains open ...

On Google Home, the flaw uses the same principle with the addition of a brief silence after a command or a sequence of unpronounceable characters ( ), but the danger would be even greater since the hacker could monitor conversations without time limit , and he could even get his hands on all the orders that follow the usual "OK Google", and thus imitate the operation of popular applications for other actions of "vishing".

The two experts warned Amazon and Google of their discoveries, and if Google immediately responded by correcting the flaw, for now, speaker maker Alexa has not responded to their discovery.

On Google Home, the lure allows you to record each conversation as a command and send them to the hacker's server. © SRLabs