Google and Amazon allowed creepy eavesdropping apps to its smart speakers
Voice assistants are everywhere nowadays, and the conversation around them currently is all about privacy, naturally.
Now there’s a new issue to add to the growing list: Both Google and Amazon were caught lazily approving suspicious apps onto their platforms. A major vulnerability was discovered by whitehat hackers over at Germany’s Security Research Labs.
The apps accepted by both Google and Amazon were created by the researchers to test a couple of potential attack vectors, which could eavesdrop on the unsuspecting user, or be used to phish for their credentials. Yikes. Basically, the apps are trained to listen in on you and lift your passwords somehow.
Just great, both Amazon and Google were allowing apps to be used as spies, with eavesdropping and phishing capabilities
To test their exploits, the security researchers created eight innocent-looking apps, consisting of seven Horoscope apps and one random-number generator. Four were uploaded to Amazon Alexa’s platform and another four Google Home.
In these seemingly-innocent apps, they planted the ability to extend the recording time, turning them into eavesdropping tools, or ways to phish for the user’s password. So instead of listening to just a two-second window, the researches extended that time to whatever they want. Basically creating a mic in your home with the sole purpose of extracting sensitive data. The video above outlines one of these attacks on a Google Home device.
Alexa devices could be turned into eavesdropping, credential-phishing tools as well, like in this next video:
Both Google and Amazon have put out statements since the security researchers presented their findings, stating that mitigations have been put in place for these types of attacks and that the app review process has been strengthened. You can read the full statements here.
Still, the fact that the researchers could get these onto the platforms in the first place is worrying. How many unknown apps have similar hacks in them? There’s no concrete evidence saying that third-party apps have been stealing information, but it’s possible. Next time you want to add a third-party app to your voice assistant, maybe do a little research first.
- Amazon and Google finally squash their streaming beef(Opens in a new browser tab)
- Google is launching a new Nest Mini smart speaker with improved sound(Opens in a new browser tab)
- Facebook and Google know exactly what porn you watch – even if you use incognito mode(Opens in a new browser tab)
- Hackers could possibly use your computer’s microphone to “see” your screen(Opens in a new browser tab)