Home > Brands > Amazon > New Hack Turns Google & Amazon Speakers Into Phishing Tool

New Hack Turns Google & Amazon Speakers Into Phishing Tool

By | 22 Oct 2019
, , , , , , , , , , , , , ,

A new vulnerability affecting both Google and Amazon smart speakers has been discovered which turns the products in question into an eavesdropping and phishing tool for hackers.

Discovered by security researchers from SRLabs, the vulnerability – dubbed Smart Spies – gives hackers the ability to manipulate the smart speakers in order to eavesdrop on unsuspecting users, as well as phish for user passwords.

Researchers showed that all hackers would need to do is upload a malicious piece of software disguised as a standard Alexa or Google action in order to silently record users or obtain passwords via user accounts.

Also, by coding in a symbol that neither Alexa or Google Assistant could pronounce, the virtual assistant would appear to go silent, which would make the user think the task had been completed, but this wasn’t the case.

After a period of silence, a new message would emerge pretending to be from the speaker asking for a password for a security update.

Since finding the exploit, SRLabs had privately disclosed the exploits to both Amazon and Google before posting their discovery on a blog explaining the whole procedure.

“We were surprised to see the Smart Spies hacks still worked more than three months after reporting the issues to Google and Amazon (in February this year),” an SRLabs spokesperson told .

“The voice app reviews needed to explicitly search for unpronounceable characters, silent SSML messages and suspicious output texts like passwords.”

Both companies have since responded to the vulnerability in a bid to reassure users that they are doing everything to address this.

“Customer trust is important to us, and we conduct security reviews as part of the skill certification process,” an Amazon spokesperson told Gizmodo.

“We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behaviour and reject or take them down when identified.”

“It’s also important that customers know we provide automatic security updates for our devices and will never ask them to share their password.”

“All actions on Google are required to follow our developer policies, and we prohibit and remove any action that violates these policies,” a Google spokesperson told Gizmodo.

“We have review processes to detect the type of behaviour described in this report, and we removed the actions that we found from these researchers.”

“We are putting additional mechanisms in place to prevent these issues from occurring in the future.”



About Post Author
Journalist/Editorial Production Manager
, , , , , , , , , , , ,
You may also like
Amazon Launches New AI Shopping Assistant Tool
Apple Blocked from Google Antitrust Hearing, Jeopardising $20 Billion Search Deal
Google Says News Not Significant Driver Of Ad Revenue
Trump’s Trade War’s Next Target Could Be Australia’s Media Laws
YouTube Confirms Platform Facing Video Quality Issues
Error, group does not exist! Check your syntax! (ID: 5)
banner

SUBSCRIBE TO OUR DAILY NEWSLETTER

* indicates required

Popular Posts

Bunnings Boss Gets The Hump After Brands Say No To Supplying Retailer.
Latest News
/
March 27, 2025
/
Transparent Solar Panels Could Turn Skyscrapers into Power Stations
Latest News
/
March 27, 2025
/
Synergy Audio Visual Expands Distribution of McIntosh Laboratories to New Zealand
Latest News
/
March 27, 2025
/
Nintendo To Announce New Games For Switch Console
Latest News
/
March 27, 2025
/
Aldi Faces Trademark Infringement Lawsuit
Latest News
/
March 27, 2025
/

Digital Magazines

Recent Post

Bunnings Boss Gets The Hump After Brands Say No To Supplying Retailer.
Latest News
/
March 27, 2025
/
/
Comments are Off
Wesfarmers owned retailers Officeworks and Bunnings are well known in the industry for the pressure they put on suppliers, some...
Read More