There are several concerns over privacy and security when it comes to smart speakers that are always on in our houses and offices. A group of Berlin-based security researches have tried to prove that both Amazon and Google are vulnerable to breaches that will affect their smart speakers and users. The actual test that they made shows that the digital assistants and devices will be able to eavesdrop on users or phish for their personal information, that is if they don’t know any better.
Security Research Labs published a pretty long report on their website, detailing the experiment they conducted to prove that there are flaws in the systems of both of the companies and consequently, their smart speakers as well. They call their experiment “Smart Spies” and part of this was creating apps that will show how the attacks and breaches can come about. These apps also show that they are able to work around the approval processes of both tech giants.
Their experiment shows that once an app is approved by Amazon or Google, you can change its functionality and it won’t trigger a second review anymore. So what they did once the app was approved was to change the welcome message and create a fake error message like “This skill is currently not available in your country”. Users then think the app or speaker is no longer listening. After some time, the app will play a fake update alert and then will prompt you to give your password and asking you to “Start update”.
Since “start” is a trigger word, when you say your password, they are able to capture it and then use your login credentials. Of course people should know better than give a password but those who don’t know this are the potential victims. So just as a reminder, Alexa or Google Assistant will never prompt you for your password or other personal information so if you encounter this, just don’t give it any of your information.
The other attack they tried out allows the smart speaker to continue listening to your conversation even when you think your app has already stopped. Of course the company contacted both Amazon and Google and shared with them the results of the experiment. Hopefully both companies should be able to improve both their approval process and the access given to skills of third party apps.