Researchers have found new ways that bad actors can exploit Alexa and Google Home smart speakers to spy on users. This time the hack not only includes eavesdropping, but also includes voice-phishing, or using people’s voice cues to determine passwords.
The vulnerability lies in small apps created by developers for the devices to extend their capability called Skills for Alexa and second app called Actions on Google Home, according to a report by Security Research Labs (SRLabs). These apps “can be abused to listen in on users or vish (voice phish) their passwords,” researchers said.
“The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood,” researchers wrote in their report. “Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers.”
The new research is unsurprising, given the numerous other ways researchers already have found for hackers to access or record personal information of people using digital home assistants.
SRLabs called their findings “Smart Spies,” an apt name as any for these types of devices, given the evidence of how easy it is to misuse them to violate users’ privacy. Researchers said they already shared their findings with Amazon and Google.
Through the standard development interfaces provided to third parties to extend functionality of the devices, SRLabs researchers found two ways in which they could compromise data privacy. One was request and collect personal data, including user passwords. And a second, eavesdrop on users after they think the smart speaker is no longer listening.
The hack has three so-called “building blocks,” researchers said. First they leverage something called “fallback intent,” “which is what a voice app defaults to when it cannot assign the user’s most recent spoken command to any other intent and should offer help,” researchers said. This manifests itself typically by Alexa or other assistants uttering phrases such as, “I’m sorry, I did not understand that. Can you please repeat it?”
The second step is for eavesdropping specifically on Alex users, researchers said. In this step, they demonstrated how they can further exploit the built-in stop intent of the devices–which reacts to a user saying “stop”–by leveraging the capability to change an intent’s functionality after the application had already passed the platform’s review process.
Lastly, researchers said the hack leverages “a quirk” in Alexa’s and Google’s text-to-speech engine that allows for the insertion of long pauses in the speech output.
Researchers outlined several scenarios in which they used these building blocks to dupe Alexa and Google Home into giving out a user’s password or allowing them to listen in on users.
In one, researchers demonstrate a four-step way to create a password phishing Skill/Action that will fool Alexa or Google Home into getting a user to say his or her password and then sending it to a hacker’s backend.
To help better protect users against Smart Spies attacks, Amazon and Google should implement better protections as soon as possible, starting with a more thorough review process of third-party Skills and Actions that are released through their voice-app stores, researchers recommended.
The report is yet another addition to the ample evidence already demonstrated to prove that devices like Alexa and Google Home are insufficient when it comes to user privacy. It also isn’t the first time researchers found that developer resources easily can be used to exploit these smart home devices.
In May 2018, academic researchers revealed a technique called voice squatting, in which adversaries can trick the speakers to opening by creating a new, malicious skill that is specifically built to open when the user says certain phrases. Once the malicious app has tricked the device into opening it, it can go about eavesdropping or recording user activity, researchers said.
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.