Researchers from the SRLabs have developed “proof of concept” apps that can tap into user inputs on Google Home and Amazon Alexa devices. According to the report that was published by the security research company, the issue is with Alexa’s “Skills” and Google Home’s “Actions” features, which allow the extension of the smart speakers' functionality by using third-party applications. The fact that this integration is taking place in an insecure manner provides the basis for abuse like password voice-phishing, or standard user eavesdropping.
As you can see in the following two videos, the researchers demonstrate that it is possible to steal the user’s password on both Amazon Alexa and Google Home speakers, requesting the passphrase through a simple backend change. The developers of the malicious example apps exploited the “fallback intent” function, the built-in stop intent, and a flaw in the text-to-speech engine which allows long pauses in the speech output. The apps that were created by SRLabs first trick the user by telling them that they are not supported in their country. After a deliberate long pause, the apps play the following message: “An important security update is available for your device. Please say start update followed by your password.”
As the SRLabs experts point out, Google and Alexa review the apps and try to figure out if there’s anything insecure hidden inside their functionality upon their submission. However, changing the way the apps work after their initial review isn’t resulting in a new round of checking, so a developer can get past the reviewing process. In this case, the change was to add unpronounceable characters like “?” and “*”, so as to introduce silence in the speech output, tricking the user into thinking that the app has stopped.
Amazon and Google have been informed about the vulnerabilities in the context of the responsible disclosure practices that underpin white hacking, and they have removed the violating apps from their stores. Their reviewing process has become more vigorous as a result of these revelations, and they have clarified that they have found no signs of the flaws being under active exploitation by anyone other than the SRLabs researchers. From now on, any output texts that include the “password” word will be rigorously reviewed with the submission of a new app version.
Do you trust your smart speaker device, or are you worried about being eavesdropped? Let us know in the comments down below, or on our socials, on Facebook and Twitter.