Amazon echo and Google Home smart speaker safety was compromised after both companies approved the use of various modified applications for spying and stealing user passwords in their online stores . The Apps were released under the guise of innocent horoscope services and sweepstakes that were changed after their approval to steal personal information.
The attackers had good intentions: the Security Research Labs (SLR) cybersecurity team based in Berlin wanted to alert technology companies to the need to improve the screening process for speaker services. Although not yet a mass-produced product, more and more companies are marketing intelligent speakers to listen to music and news, research online by [201
] "With the enhanced functionality of these smart pillars, the number of attack opportunities is also increasing," notes the SLR team in a published attack report. "To avoid these" smart spy "attacks, Amazon and Google need to improve the review and review process for third-party applications available in their stores." approved, change of its role did not require a second revision . With it, SRL created applications that used the word "start" and "stop" for many different functions – from reading the column owner's daily horoscope to stealing the password from his Amazon or Google account.
In order to persuade the user to reveal the password, the German company programmed the applications so that the official votes were simulated by Google and Amazon wizards who asked for the code to update the application. This is a simple social engineering strategy known as phishing where attackers use fake forms to persuade someone to provide personal information.
"We could go further and ask the user to provide their email address so that they may be able to access Amazon or Google accounts," the team said.
The Company The German SLR also showed that it was possible to spy on the users' conversations with the speakers .To fake horoscope applications too After having heard predictions for their future, the users had to say "stop." The keyword prompted the digital astrologer to say "goodbye," but the application remained active for a few seconds the user said something with the sound "ai" during this period (an interjection programmed by the German team to wake up the application), the information was transcribed and sent to the SRL Team sent.
Both Google and Google Amazon have already removed SRL applications and are investigating mechanisms for verifying applications to prevent future problems from recurring. The PUBLIC attempted to contact the Google and Amazon teams but did not receive an answer until the message was posted.
This is not the first time the smart speakers of these companies have come under fire in 2019. In April, Amazon admitted that workers in various parts of the world heard statements from Echo's smart speakers at home to their customers. Since then, Facebook, Microsoft, Apple and Google have admitted this. This is a common quality control practice that justifies it. For Google, the feature was not enabled by default (this option was available in each user's account settings), but the company did not make it clear that the review process was performed by people rather than algorithms.
In recent years, the Echo column has also been responsible for some unusual cases: in May 2018, for example, the column recorded a private discussion between a couple in Portland, USA, and sent them off for some contact Mistake. At the time, Amazon said the mistake had been caused by a series of confusion among the digital assistants in the column who had been falsely woken up with a word in the background conversation [entre o casal] that, like the keyword & # 39; Alexa & # 39; sounded to activate the wizard.
"The speakers from Amazon and Google are powerful and often useful devices, but the impact on the privacy of an Internet-connected microphone is greater than previously thought," explains the SLR team. , "Users need to be aware of the potential of maliciously crafted applications that abuse smart columns. Installing a new app on a speaker should therefore be done with the same care as installing a new app on the phone. "