Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

Researchers Tricked Google Home and Alexa Into Eavesdropping and Password Phishing (arstechnica.com) 34

What if Google and Amazon employees weren't the only ones who'd listened through your voice assistant? Ars Technica reports: The threat isn't just theoretical. Whitehat hackers at Germany's Security Research Labs developed eight apps -- four Alexa "skills" and four Google Home "actions" -- that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these "smart spies," as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords...

The apps gave the impression they were no longer running when they, in fact, silently waited for the next phase of the attack.... The apps quietly logged all conversations within earshot of the device and sent a copy to a developer-designated server. The phishing apps follow a slightly different path by responding with an error message that claims the skill or action isn't available in that user's country. They then go silent to give the impression the app is no longer running. After about a minute, the apps use a voice that mimics the ones used by Alexa and Google home to falsely claim a device update is available and prompts the user for a password for it to be installed....

In response, both companies removed the apps and said they are changing their approval processes to prevent skills and actions from having similar capabilities in the future.

This discussion has been archived. No new comments can be posted.

Researchers Tricked Google Home and Alexa Into Eavesdropping and Password Phishing

Comments Filter:
  • by Viol8 ( 599362 ) on Monday October 21, 2019 @06:37AM (#59330220) Homepage

    ..you really have to be a Grade A congenital idiot. Why else would you risk divulging extremely private information and potentially have people listen to what you've said just to save the utterly minimal effort of doing the exact same task on your phone or tablet.

    • So instead of buying one of these devices (which can be kept in the Big Bear Bin down the road), you want to run the same silly shit on a tablet or phone?

      What kind of absolute maroon are you?

      • by Viol8 ( 599362 )

        That teblet or phone doesn't have its mic on as a matter of course switched on 24/7 listening out for anything that said and sending it back to the morhership. Whats more, phone manufacturers don't record their users conversations "to improve their phone service".

        Apart from that , yeah, great point , spot on.

        • These smart speakers run the same assistant software that's on the phones and tablets. And have the same 24/7 hotword detection features too. I'm not sure what kind of distinction you're trying to make here.

          • by Viol8 ( 599362 )

            Hotword detection has to be explicitly enabled on a phone or tablet and if you do so then more fool you, whereas its the default input method on a smart speaker. Which part of that is confusing you?

        • by MushMouth ( 5650 )

          Actually they do have a mic on the whole time. Unlike the "smart" speakers which only have wifi, they also have their own private network which is difficult to audit.

          • by Viol8 ( 599362 )

            No, phones and tablets do not have the mic on all the time since it would kill battery life. Why do you think you have to press a button first to use Siri and whatever the android equivalent is?

    • I have a Google home mini but it's in my workshop and it's great for when I want to turn on/off a particular light or switch music and I don't want to take off my gloves or I'm in the middle of something that I don't want to (or can't) stop.

      I wouldn't place it anywhere I don't want it hearing sensitive or confidential information (e.g. living room, bedroom etc.). The worst exposure I have with one in the workshop is it might pick up a tirade of expletives when the hammer hits something soft and fleshy when it's not supposed to or it might hear a long, drawn out curse as I'm tightening a bolt and all of a sudden, the amount of pressure required goes to zero..
      • The worst exposure I have with one in the workshop is it might pick up a tirade of expletives when the hammer hits something soft and fleshy when it's not supposed to ...

        I'd be more concerned that you apparently think there are times the hammer is supposed to hit something soft and fleshy. What are you doing in your workshop?

    • Re: (Score:2, Troll)

      by andydread ( 758754 )
      if you have a smart phone in your home then you really have to be a Grade A congenital idiot. Why else would you risk divulging extremely private information and potentially have people listen to what you've said...
      • by Viol8 ( 599362 )

        Phone mics don't stay on all the time, their range is very limited. And phone makers don't routinely record their users calls.

        • Phone mics don't stay on all the time

          Citation needed. If the phone has power, the mic has power. You have no access to know what the hardware is doing.

          their range is very limited

          Not true. I can have a conversation 30 feet away with my phone on speaker.

    • ..you really have to be a Grade A congenital idiot. Why else would you risk divulging extremely private information and potentially have people listen to what you've said just to save the utterly minimal effort of doing the exact same task on your phone or tablet.

      There are plenty of Grade A congenital idiots out there. So I predict great success for their new home spying overlords.

    • So, you get one of these [walmart.com] for $8, plug your smart speaker into it, and you've got a hardware kill switch. Set up a voice command to cut the power (name the smart plug "yourself"), and when it's time to talk shop about your meth lab (or whatever it is you don't want Google/Amazon hearing), you can say "Alexa (or Google), turn yourself off!".

      Of course, you'll need that smartphone or tablet to turn it back on, but it's a small price to pay to have both the convenience of voice control, and privacy.

    • ..you really have to be a Grade A congenital idiot.

      This is getting really fucking old, Slashdot.

      Some of us want voice control functionality for our smart homes, and understand how e.g. Google Home works, and accept the trade-offs. Name calling is childish and aside from some early woes (i.e. this case), which can be expected from any emergent technology, they work pretty damn well.

      I personally can live with the 1/100 chance a contractor hears 10 seconds of anonymized speech, and I don't install third-party skills.

      But holy shit, it has a microphone, the sky

  • Tricked? (Score:5, Insightful)

    by Opportunist ( 166417 ) on Monday October 21, 2019 @07:03AM (#59330276)

    What do you mean tricked? Since when do you have to trick Google home and Alexa to eavesdrop and rat out on you? Isn't that the main function?

    • Since when do you have to trick Google home and Alexa to eavesdrop and rat out on you? Isn't that the main function?

      The main function is to let google or amazon eavesdrop on you. This is tricking the user into letting a third party do so.

  • Comment removed based on user account deletion
    • seems to me that Google as a way better data breach record that just about any other tech company i can see.
    • When you can show the average person how a lack of privacy disadvantages them personally.

      We're several generations removed from Nazi Europe. People today have no living memory of the Soviet Union or East Germany, don't care about Communist China, may not even know who Pol Pot was, etc... And to make matters worse, there are people of the opinion that the privacy protections would have stopped the Nazis.

      Even before Google existed, Waco and Ruby Ridge happened. Racism and oppression of minorities flou

    • What do you mean this is a security fail? Didn't you catch this part:

      After about a minute, the apps use a voice that mimics the ones used by Alexa and Google home to falsely claim a device update is available and prompts the user for a password for it to be installed....

      They've conditioned people to just cough up a password immediately when asked by a robot voice.

      In what way is that a security fail?

  • Don't assume that something in the app store is safe. Google does not have time to do a thorough code-review of every app and look for this stuff. Even if they could, their definition of safe may not match yours. This is no different from the free closed-source software you can download for Mac, Windows, etc. Use caution.

  • Clever attack!

    The one weakness I see in the attack is that if the user actually looks at the device they’ll see the activity lights are still blinking, clueing them in that the device is still active and listening. While many users wouldn’t notice, enough would that I think actual attempts to exploit this vulnerability would be discovered pretty quickly.

  • As if they weren't designed for spying ...

  • If I'm using Google Home I'm assuming that Google is getting my speech for analysis and Google is running whatever commands these skills add, and perhaps making some external API calls, then terminating the session.

    Why are skills even allowed to access the original audio or to hold the mic open this way? What's the legitimate use case for these behaviors?

  • is just doing what the ads need to do.
    That others can be that "ad" company doing the full collecting should not be unexpected :)

"Your stupidity, Allen, is simply not up to par." -- Dave Mack (mack@inco.UUCP) "Yours is." -- Allen Gwinn (allen@sulaco.sigma.com), in alt.flame

Working...