In a test on Google and Amazon’s security processes and defenses, researchers were able to successfully sneak malicious software into both the Google Home and Amazon Echo smart speakers.
Researchers based at a company called ‘Security Research Labs’ say that custom applications were designed by their team to target users’ personal data. The apps were specifically designed to look for personal data such as voice recordings or passwords, before siphoning it off from the smart speakers. It did so by posing as third-party software designed to read your horoscope using voice commands.
The applications were eventually removed from both the Echo and Home devices, but not until the researchers made Google and Amazon aware of the study. At this point, the software would already have had to have been reviewed by security moderation teams for both companies.
In total, eight different applications were released into the wild by the researchers and every single one of them were successful in bypassing the security put in place by the two software and hardware giants. All of these apps were vetted and approved by both companies, a security lapse that experts in the field have said invites more stringent reviews of the privacy associated with smart home devices.
‘As the functionality of smart speakers grows so too does the attack surface for hackers to exploit them (..) The flaws allow a hacker to phish for sensitive information and eavesdrop on users. We created voice applications to demonstrate both hacks on both device platforms, turning the assistants into “Smart Spies”.’Researchers at Security Research Labs
One of these applications tricked users into believing that their smart speaker was no longer listening to them properly by providing a spoofed error message once it was made active via a ‘wake word’. However, the speaker was actually still listening with its microphone primed, meaning that hackers could potentially eavesdrop on anything said within the room if they used a similar tactic.
And another of the eight applications used a fake message to ask users to run a system update by spelling their password out. The recording would then be captured and transmitted to a remote location.
‘All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers (…) We are putting additional mechanisms in place to prevent these issues from occurring in the future. ‘A Google spokesperson talks to the Daily Mail
The team of researchers also pointed out how, “users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone.”
Indeed, you should always be wary of installing any third-party software onto your devices, whether that’s your smart home device, or your mobile phone or tablet. If in doubt, give WiseGuys a call on 0808 123 2820 and we can provide you advice on how to best secure your devices against malicious attacks and security breaches.