Amazon Echo: Spy in the App

Smart speakersexploited by snooping apps.jpg

Smart speakers can are great for instantly calling up the music of your choice, getting the latest news and weath, or even ordering products online. But if these helpful devices can be exploted ny apps, to listen in on our conversations, that’s an entirely different matter - at least for most of us.

It seems that Amazon Echo and Google Home speakers have been compromised by apps modified to spy on users after being approved by the technology companies.

Berlin-based Security Research Labs (SRL) built the eight "smart spies", which were promoted as a way to deliver horoscopes and generate random numbers.

Once approved, the researchers updated the Echo Skills and Home Actions to eavesdrop and steal passwords.

They then alerted the US companies, which blocked the software.

Karsten Nohl, SRL's chief scientist, told BBC News:

Smart spies undermine the assumption that voice apps are only active as long as they are in dialogue with the user, …Creating them [has] been a fairly easy process that required relatively little programming experience,

They were activated when a user said something like: "Alexa, turn on my horoscopes," or: "OK Google, ask My Lucky Horoscope to give me the horoscope for Taurus."

When the user tried to turn off the app, they heard a "Goodbye" message but the software carried on running for several more seconds rather than deactivating immediately.

If, in that time, the person said a phrase including the word "I" or other chosen terms, their speech was transcribed and sent back to SRL.

One giveaway something was not right was the smart-speaker light remained turned on, indicating it was still listening, according to Mr Nohl.

And, he suggested, this should be something smart-speaker owners kept an eye on.

A variation of the attack involved the app saying: "An important security update is available for your device. Please say, 'Start update,' followed by your password."

Anything the user said after the word "Start" was then sent back to the developer.

"Users should be very suspicious when any smart speaker asks for a password, which no regular app is supposed to do," Mr Nohl added.

David Emm, a security analyst at Kaspersky Lab, said people needed to remember some of the apps offered for Amazon Echo and Google Home devices were made by third parties. He said:

We all need to aware of the capabilities of these devices, …They're 'smart listeners', not just smart speakers. Their capabilities extend to apps that we use with them.

Google said it had removed SRL's Actions and added “We are putting additional mechanisms in place to prevent these issues from occurring in the future.”

Amazon said:

Customer trust is important to us and we conduct security reviews as part of the skill certification process. …We quickly blocked the Skill in question and put mitigations in place to prevent and detect this type of Skill behaviour and reject or take them down when identified.

Source: BBC News

If you liked this post, check out our Premium Privacy Insights for informative articles on wide-ranging global data privacy issues.