Amazon and Google unwittingly approved smart-speaker apps designed to eavesdrop on users and steal their passwords
- Researchers planted spying apps on Google and Amazon smart speakers
- The apps tested device security and were approved by Google and Amazon
- Apps eavesdropped and attempted to steal users’ passwords
- Experts warns that smart speakers can and will be targeted by hackers
Researchers successfully sneaked malicious apps behind the defenses of two major smart speaker companies in a test on their security practices.
Experts at Security Research Labs say the apps were design to target personal data like voice-recordings and passwords of both Google Home and Amazon Echo users by posing as software that reads horoscopes through voice-commands.
The apps were only removed once researchers made the company aware of their test.
Security researchers planted eight apps designed to spy on users onto the Google Home and Amazon Echo (pictured above) as part of a test on device security (File photo)
All eight of the apps designed by the researchers were able to bypass Amazon and Google defenses and were approved by the companies’ moderation teams – a lapse that experts say invites even greater scrutiny on smart devices’ privacy and safety standards.
‘As the functionality of smart speakers grows so too does the attack surface for hackers to exploit them,’ write the researchers in their report.
‘The flaws allow a hacker to phish for sensitive information and eavesdrop on users. We created voice applications to demonstrate both hacks on both device platforms, turning the assistants into “Smart Spies”.’
One app was designed to trick users into thinking their device no longer listening by announcing a fake error message after being roused by a wake-word.
In reality, however, the app remains open with the microphone engaged which would allow hackers to eavesdrop on any subsequent conversations within earshot.
Another attack serves users a fake prompt asking for users to update their systems by spelling out their password. That transcript is then captured and sent to a remote server.
Google’s brand of smart home products like its Nest Mini (pictured above) are among the most popular voice-controlled products on the market (File photo)
‘All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers,’ a Google spokesperson told MailOnline.
‘We are putting additional mechanisms in place to prevent these issues from occurring in the future.’
Researchers say exploits should act as a wake-up call for users of microphone-enabled smart home devices who may not be aware the technology can be exploited by hackers.
‘The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood,’ the researchers write.
‘Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone.’
Google, Amazon, Apple, Facebook, and Microsoft were all recently swept up in their own scandals after the companies were found to be using contractors to pore over voice-commands given by users of their products.
The programs often scraped up audio not intended for their devices like business calls, sex, porn searches, and other private conversations.
WHY ARE PEOPLE CONCERNED OVER PRIVACY WITH AMAZON’S ALEXA DEVICES?
Amazon devices have previously been activated when they’re not wanted – meaning the devices could be listening.
Millions are reluctant to invite the devices and their powerful microphones into their homes out of concern that their conversations are being heard.
Amazon devices rely on microphones listening out for a key word, which can be triggered by accident and without their owner’s realisation.
The camera on the £119.99 ($129) Echo Spot, which doubles up as a ‘smart alarm’, will also probably be facing directly at the user’s bed.
The device has such sophisticated microphones it can hear people talking from across the room – even if music is playing.
Last month a hack by British security researcher Mark Barnes saw 2015 and 2016 versions of the Echo turned into a live microphone.
Fraudsters could then use this live audio feed to collect sensitive information from the device.