Connect with us

Google

Google and Amazon allowed creepy eavesdropping apps to its smart speakers

Yikes.

amazon alexa whisper mode

Voice assistants are everywhere nowadays, and the conversation around them currently is all about privacy, naturally.

Now there’s a new issue to add to the growing list: Both Google and Amazon were caught lazily approving suspicious apps onto their platforms. A major vulnerability was discovered by whitehat hackers over at Germany’s Security Research Labs.

The apps accepted by both Google and Amazon were created by the researchers to test a couple of potential attack vectors, which could eavesdrop on the unsuspecting user, or be used to phish for their credentials. Yikes. Basically, the apps are trained to listen in on you and lift your passwords somehow.

Just great, both Amazon and Google were allowing apps to be used as spies, with eavesdropping and phishing capabilities


To test their exploits, the security researchers created eight innocent-looking apps, consisting of seven Horoscope apps and one random-number generator. Four were uploaded to Amazon Alexa’s platform and another four Google Home.

In these seemingly-innocent apps, they planted the ability to extend the recording time, turning them into eavesdropping tools, or ways to phish for the user’s password. So instead of listening to just a two-second window, the researches extended that time to whatever they want. Basically creating a mic in your home with the sole purpose of extracting sensitive data. The video above outlines one of these attacks on a Google Home device.

Alexa devices could be turned into eavesdropping, credential-phishing tools as well, like in this next video:

Both Google and Amazon have put out statements since the security researchers presented their findings, stating that mitigations have been put in place for these types of attacks and that the app review process has been strengthened. You can read the full statements here.

Still, the fact that the researchers could get these onto the platforms in the first place is worrying. How many unknown apps have similar hacks in them? There’s no concrete evidence saying that third-party apps have been stealing information, but it’s possible. Next time you want to add a third-party app to your voice assistant, maybe do a little research first.

Yikes. Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Maker, meme-r and unabashed geek. Hardware guy here at KnowTechie, if it runs on electricity (or even if it doesn't) I probably have one around here somewhere. My hobbies include photography, animation and hoarding Reddit gold.

Comments

More in Google