The smart speaker space has exploded over the past few years, as Amazon, Google, Apple, and others have continued to crank out internet-connected, voice activated speakers that you can control by talking to them.

But some folks have been wary of putting devices with always-listening microphones in their homes, and reports have indicated that there’s a chance companies that make these products might be listening to your voice from time to time.

Now a new report from Security Research Labs indicates that it might not just be Amazon or Google listening in. They developed a series of apps that could keep listening in after you thought the app had closed or trick some users into providing their passwords — and all of these apps were distributed through Amazon and Google’s official channels.

In a nutshell, the vulnerabilities managed to make it past the official review processes in two ways. First, Amazon and Google typically only review an app (Amazon calls them “skills,” and Google dubs them “actions)” when it’s submitted the first time. Updates are not reviewed the same way, so the researchers were able to slip in their sneaky code through updates.

Second, the skills and actions basically tricked Google Assistant and Alexa into playing silence by inserting an unpronounceable character (�), causing it to seem like a voice app had finished running, when it was in fact still going.

You can see the apps in action in a series of YouTube videos from Security Research Labs.

The good news is that the proof-of-concept malicious skills and actions have been removed. And it’s unclear if any truly malicious developers have been using these techniques to spy on users.

According to a statement released to Ars Technica in response to the Security Research Labs disclosure, Google says it’s “removed the Actions that we found from these researchers” and that the company is “putting additional mechanisms in place to prevent these issues from occurring in the future.”

Amazon says it’s also removed the apps, and made changes including making sure that it’s no longer possible for skills to get a transcript of what a customers says after saying “stop” to the skill. The company also now prevents skills from asking users for their Amazon passwords.

But I wouldn’t be surprised if we see other exploits in the future — the rising popularity of smart speakers and voice assistants makes them a tempting target for malicious hackers… as does their ease of use. Users don’t need to download and install anything to interact with a Alexa skill or Google Assistant action, you just say a certain set of words to trigger them. And that means it’s up to Amazon and Google to make sure there are no major security vulnerabilities.

It’s obviously in those companies’ best interests to try to keep their platforms secure. But today I’m feeling pretty good about my household’s decision to skip to dumb speakers.

via Techmeme

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign


Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Subscribe to Liliputing via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 9,464 other subscribers

4 replies on “Researchers expose Amazon, Google smart speaker vulnerability that could let malicious apps spy on you”

  1. Super easy solution to this “issue”….dont use skills/apps on your device……period.
    All most all of them are garbage and just serve to muck things up. Very few functions/smarthome things actually require them anyways. Everyone tries to spin these stories as if its the companies doing this to us when its not.

  2. Let’s be honest. The devices are just a conduit for companies. Of course putting a live mic in your living space is going to be exploited! Touch your screen and ask away. A thing sitting on a shelf that you talk to is silly. The clapper was and is a thing but people decided that they can turn or flick the light switch without too much difficulty. Get a grip folks. In this case I hope spying becomes more of an issue because it’s a bit comical.

    1. Careful what you wish for. It might very well become so big an issue you can’t escape it, if, for example, all these mega corporations come together to create a completely privatized social credit system that, much like with your bank, you’ll find life very difficult if you try to avoid it.

Comments are closed.