New Hack Turns Google & Amazon Speakers Into Phishing Tool
A new vulnerability affecting both Google and Amazon smart speakers has been discovered which turns the products in question into an eavesdropping and phishing tool for hackers.
Discovered by security researchers from SRLabs, the vulnerability – dubbed Smart Spies – gives hackers the ability to manipulate the smart speakers in order to eavesdrop on unsuspecting users, as well as phish for user passwords.
Researchers showed that all hackers would need to do is upload a malicious piece of software disguised as a standard Alexa or Google action in order to silently record users or obtain passwords via user accounts.
Also, by coding in a symbol that neither Alexa or Google Assistant could pronounce, the virtual assistant would appear to go silent, which would make the user think the task had been completed, but this wasn’t the case.
After a period of silence, a new message would emerge pretending to be from the speaker asking for a password for a security update.
Since finding the exploit, SRLabs had privately disclosed the exploits to both Amazon and Google before posting their discovery on a blog explaining the whole procedure.
“We were surprised to see the Smart Spies hacks still worked more than three months after reporting the issues to Google and Amazon (in February this year),” an SRLabs spokesperson told .
“The voice app reviews needed to explicitly search for unpronounceable characters, silent SSML messages and suspicious output texts like passwords.”
Both companies have since responded to the vulnerability in a bid to reassure users that they are doing everything to address this.
“Customer trust is important to us, and we conduct security reviews as part of the skill certification process,” an Amazon spokesperson told Gizmodo.
“We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behaviour and reject or take them down when identified.”
“It’s also important that customers know we provide automatic security updates for our devices and will never ask them to share their password.”
“All actions on Google are required to follow our developer policies, and we prohibit and remove any action that violates these policies,” a Google spokesperson told Gizmodo.
“We have review processes to detect the type of behaviour described in this report, and we removed the actions that we found from these researchers.”
“We are putting additional mechanisms in place to prevent these issues from occurring in the future.”