New Alexa and Google Assistants Hacked By Researchers Apps To Phish and Record Conversations

German researchers uploaded proof of concept apps for both Amazon Skills and Google Play Store which were allowed to pass QA. The researchers created a phony Horoscope app that used some novel coding techniques to trick both Alexa and Google Home and turned them into social engineering and phishing tools. According to Ars Technica," Whitehat hackers at Germany’s Security Research Labs developed eight apps—four Alexa “skills” and four Google Home “actions”—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these “smart spies,” as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords."

“It was always clear that those voice assistants have privacy implications—with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes,” Fabian Bräunlein, senior security consultant at SRLabs, told me. “We now show that not only the manufacturers but… also hackers can abuse those voice assistants to intrude on someone’s privacy.”

The researchers were able to demonstrate social engineering and phishing techniques by embedding some code that put Alexa and Google in silent mode while still recording. During the silent period, the conversation was recorded, transcribed and sent back to attacker/publisher. They also inserted a realistic assistant voice that phishes the users by saying a new update is available for their device but they need to say their password. They could have asked for a credit card or other information. Both Google and Amazon removed the rogue apps after they were informed by the researchers. Both platforms say they have now addressed the vulnerability. It’s highly possible that some users could be fooled into providing passwords or private information given that the instructions were coming through a trusted venue like Alexa and Google.
More info:

I put my hands up and will disclose that I own 2 Amazon Echo Dot’s and I consider myself pretty cautious when it comes to home security especially working in InfoSec. I have these devices because my wife loves them, no need for a radio in the house or a need to mess connecting her phone to a smart device and no music centre, simply ask Alexa to play music or radio and jobs a goodun. News reports on the go no more sitting down to watch regular news programs on TV or read articles on the internet. Oh and there is a bunch of laziness in not having to turn lights on and off at a switch, we can ask Alexa to do this too.

Now we make sure we have a strong Amazon password and have 2FA enabled, and I make a point of checking the settings every now and then to make sure it’s locked down an that nothing can initiate a purchase on our Amazon account via Alexa just in case she misunderstands words we utter or that come via the TV whenever there is an Amazon advert for the Echo.

I was glad to come across recent articles on blogs from the likes of Sophos Naked Security and Graham Cluley talking about the always listening reality of these devices and humans helping to improve the AI by listening to some of these recordings (most likely a really small percentage) and how we can disable this feature. This latest gap is troubling because while both my wife and I are very savvy and would never disclose credentials in such a manner and know that Amazon would never ask for them, what other manner of maliciousness is embedded within third party apps that we allow Alexa to interact with?

For example I live in the UK and Smart devices like light bulbs, toothbrushes, light sockets and heating controls are either manufactured by high end manufacturers making them really expensive or they are virtually unbranded generic devices made by China or lesser known parts of Europe sold in discount stores or supermarkets, instructions say simply download an app to your phone and this will interact with Alexa as a skill or maybe sometimes a seperate app isn’t even needed. The problem is these devices come in at the right price for the average consumer and rarely would anyone think that bad things might happen, this is why security awareness really must be pushed out into the consumer marketplace or some form of watchdog or standards body set up to control these things. It appears that whatever checks Amazon or Google have in place to vet third party developers aren’t yet mature enough to protect people fully and people aren’t yet fully savvy enough to know how to protect themselves. This makes me consider disconnecting such smart devices from Alexa as we simply can’t can’t trust them.

One of the obstacles to getting more security pushed down to endpoints like Smartbulbs and even other embedded devices is probably cost. Particularly for the low end devices. Although Alexa and Google are certainly in a position to fix this. Of even more concern is the sheer number of people now trying to hack the devices. Everyone is scrambling to stay up to date with zero days.


Featured Webinars


Advanced Phishing and
Training

Monday 1:30 PM – 2:30 PM
» Learn More
Outlook Phish Alert Button
Tuesday 1:30 PM – 2:30 PM
» Learn More
Customizing Phishing Templates, Landing Pages, & Training Notifications
Wednesday 1:30 PM – 2:30 PM
» Learn More
Active Directory Integration
(ADI) Setup

Thursday 1:30 PM – 2:30 PM
» Learn More
Gold/Platinum/Diamond
Features

Friday 1:30 PM – 2:30 PM
» Learn More

Privacy Policy | Terms of Service