Smart speaker owners beware—attackers have found a clever way of exploiting devices offered by Amazon and Google to both listen in on your conversations and dupe you into forking over private information, such as your account password, credit card details, and other details that should be kept close to the vest.
What makes this possible are flaws that allow third-party app developers to leverage Google Home and Amazon Alexa devices in malicious ways. This is not an entirely new scheme, but while Amazon and Google have patched similar security flaws in the past, new ones keep popping up.
Security Research Labs (SRLabs) notes that one such vulnerability consists of adding a long audio pause after a fake error message. Malicious developers can do this by injecting "�" (U+D801, dot, space) characters into the code of their apps.
This amounts to a smart phishing attempt. For example, a malicious app ostensibly designed to provide horoscope information to a user will do that when invoking Alexa. However, those characters above will keep the speaker active but silent for a bit of time in an attempt to trick the user that the interaction has ended. A little while later, the malicious app will falsely claim an update is available, and ask for the user's password or email address, or any other data.
Here is a video of the exploit in action (not that the ring around the speaker stays lit after the interaction as seemingly ended)...
This affects both Google and Amazon devices. In addition, hackers are not only leveraging smart devices for phishing schemes, they are taking advantage of various flaws to eavesdrop on users as well.
"We were able to listen in on conversations after a user believes to have stopped our voice app. To accomplish this, we use a slightly different strategy for each of the voice speaker platforms," SRLabs states.
While the strategies are slightly different, they both accomplish the same thing. Here's a look at the end result, on a Google Home speaker...
"Alexa and Google Home are powerful, and often useful, listening devices in private environments. The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood. Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers," SRLabs says.
Furthermore, SRLabs recommends using the same level of caution when installing a voice app on a smartphone.
The onus does not completely fall on the user, though. Amazon and Google both have a responsibility to prevent these types of attacks from working in the first place. To that end, it is an ongoing battle. In this particular case, SRLabs says it disclosed these vulnerabilities with both companies.
"Finding and banning unexpected behavior such as long pauses should be relatively straight-forward," SRLabs told ZDNet. "We are surprised that this hasn't happened since reporting the vulnerabilities several months ago."
Amazon has not commented on the situation. Google, on the other hand, says part of the review process is detect this very type of behavior, which runs afoul of its developer policies. The company also says it is "putting additional mechanisms in place to prevent these issues from occurring in the future."