Study Confirms Google, Alexa do Eavesdrop

A report published by Security Research Lab believes that both Google and Amazon need to put in place better protection of third-party apps installed on their hardware

 

A new report has come up with damning evidence that both Google and Alexa were using enhanced capabilities offered by apps on their gadgets that could be used to listen in on users and deploy voice-phishing of their passwords or other security credentials.

The voice apps called Skills for Alexa and Action for Google Home works in a manner where, as the functionality of the speakers grow, so does the attack surface for the hackers, says a research paper published on the website of SRL Labs. The flaws allow hackers to phish for sensitive data and eavesdrop on the unsuspecting users of Google Home and Alexa.

SR Labs says it has created applications that demonstrate both hacks on the devices and turning assistants into smart spies. They proved that both the Apps were activated upon the user’s invocation which is followed by a command such as “read my horoscope for today” which gets converted to text and sent to the App’s backend that are outside the purview of both Google and Amazon.

The company claims that through standard development interfaces their researchers could compromise the data privacy in two ways, viz., request and collect personal data including user passwords and eavesdrop on users after they believe the smart-speaker has stopped listening.

In fact, SR Labs elaborated the manner in which these security loopholes could be created in a couple of videos that can be seen right here. The Alexa Phising one is here and the one related to stealing the password can be seen here.

The latest exposure of how technology can intrude into one’s privacy is sure to raise a few hackles in an industry already split down the middle over what is ethical and what is not when it comes to snooping into one’s habits in order to use that data to show targeted ads in a way that users get nudged towards purchasing decisions in a digital world.

The study concludes that Google Home and Alexa are indeed powerful and useful listening devices in private environments but these enterprises do need to understand the privacy implications of an internet-connected microphone listening to whatever is said at all times. It calls for more use awareness vis-à-vis malicious apps and their abuse by smart speakers.

“Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone,” says the report which adds that in order to prevent such “smart spies” from invading our privacy, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party apps on their voice stores.

It further says that voice app review needs to check explicitly for copies of in-built intents (words used to describe activities that one usually asks these voice assistants to carry out) and there should also be a check on unpronounceable characters and silent SSML messages that causes long pauses in the speaker output – something that hackers look to exploit at all times.


TAGS: Google Home, Amazon Echo, Alexa, Google Assistant, Privacy, Phishing