Alexa and Google Home Can Eavesdrop

photo of woman speaking to an Alexa Device

Photo from article on ZDNet website

Oh, dear…the challenges of being on the Leading Edge of technology!

If you are going to play, you need to be educated about how things work and what to look out for.  Hope this helps.  Enjoy!

If you have any questions or comments, please share them in the comments section at the bottom and I’ll be happy to reply.

From ZDNet: Hackers can abuse Amazon Alexa and Google Home smart assistants to eavesdrop on user conversations without users’ knowledge, or trick users into handing over sensitive information.

The attacks aren’t technically new. Security researchers have previously found similar phishing and eavesdropping vectors impacting Amazon Alexa in April 2018; Alexa and Google Home devices in May 2018; and again Alexa devices in August 2018.

Both Amazon and Google have deployed countermeasures every time, yet newer ways to exploit smart assistants have continued to surface.

The latest ones were disclosed today, after being identified earlier this year by Luise Frerichs and Fabian Bräunlein, two security researchers at Security Research Labs (SRLabs), who shared their findings with ZDNet last week.

Both of these attacks exploit the fact that while Amazon and Google verify and vet Alexa and Google Home apps when they are submitted, they do not do the same for subsequent app updates.

In an email to ZDNet, the SRLabs team said they reported the issue to both vendors earlier this year, yet the companies have failed to address the issue.

“Finding and banning unexpected behavior such as long pauses should be relatively straight-forward,” the SRLabs team told ZDNet. “We are surprised that this hasn’t happened since reporting the vulnerabilities several months ago.”

Amazon did not respond to a request for comment from ZDNet prior to this article’s publication.

A Google spokesperson provided the following message:

“All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future.”

Google also wanted Home assistant owners to know that their device will never ask them for the account password, and that Google staff are currently reviewing actions from all third-party apps.

Leave a Reply

%d bloggers like this: