Third-party apps hosted on Google and Amazon smart speakers could be secretly eavesdropping on users or phishing for their passwords, according to Security Research Labs, a hacking consultancy based in Germany.
How they know: The company created eight apps—four for Amazon Alexa and four for Google Home—that surreptitiously logged all conversations within earshot of the device they were installed on, and then sent a copy to a designated server. They mostly masqueraded as apps for checking horoscopes, according to Ars Technica. In the eavesdropping version, a user would ask the app to give them a horoscope. It would respond with the information requested and then go silent, giving the impression it was no longer running when in fact it was still recording. The phishing-style apps gave a fake error message and then asked for the user’s password. They all passed Google’s and Amazon’s security vetting procedures, although they have since been removed. The developers explained how the apps were created in a post, which you can read here.
The companies’ response: Both told Ars Technica they are changing their approval processes to stop their products from being hijacked this way. However, that they were ever approved in the first place is evidence that tech companies do not invest enough time or energy in vetting the apps they choose to host on their platforms.
Mounting concern: It’s widely known that smart speakers pose a privacy threat. Workers employed by the likes of Amazon, Google, and Apple routinely listen to clips from users’ devices, and the sounds recorded from smart speakers can be used in criminal trials (not that this has dented their popularity with the paying public).
Some context: This isn’t the first time hackers have shown that a smart speaker can be turned into a spying device. In a December 2018 presentation at DefCon, a pair of researchers proved it’s possible if you can get the attack tool onto the same Wi-Fi network. But this latest attack shows that the privacy threat from smart speakers could come not only from the manufacturers, but from hackers too.
Sign up here for our daily newsletter The Download to get your dose of the latest must-read news from the world of emerging tech.
