A vulnerability affecting both Amazon and Googles smart speakers was disclosed by security researchers from SRLabs that enables attackers to turn unsuspecting users’ smart speakers into eavesdropping or phishing tools.
The researchers were able to make the smart speakers ask users for their google account password or even silently record users. They were able to achieve this by uploading a piece of malicious software that was disguised as a harmless Alexa skill or Google action.
Both the Amazon Alexa and the Google homes capability can be extended through apps developed by third parties. On the Alexa, these voice apps are called Skills and on the Google Home, they’re called Actions.
The researchers released a series of videos where they demonstrated that in every case they were able to keep the smart assistants listening for longer than usual. When giving the smart assistants a series of characters that they cannot pronounce, the researchers found that the smart assistants stay quite but continue to listen for more commands. When in this state, the smart assistants automatically transcribe anything that the user says and sends it straight to the attacker.
Before making their findings around this vulnerability public, SRLabs disclosed the issue to both Google and Amazon through official channels and there’s no evidence that this has been exploited in the real world. However, this should be a reminder to be careful what third-party apps you allow access to your voice assistants, or any other device or account and to revoke their access if they aren’t needed or used.