October 24, 2019
Hey Google and Alexa, how easy is it to take control?
Hey, Google and Alexa—say it ain't so.
Berlin-based researchers Security Research Labs have published their latest findings online, showing how the Google Home and Nest speakers, as well as Amazon's Echo products, could be taken over by hackers. Once there, they could listen to your conversations, steal your passwords and more.
"As the functionality of smart speakers grows, so too does the attack surface for hackers to exploit them," the company noted, in a blog post.
The seemingly innocuous little speakers that only come to life after hearing the "wake" word ("Alexa" or "Hey, Google"), in fact, listen in way more often.
By default, Amazon records every interaction with Alexa, and Google also records you, after getting you to grant it permission. Both hold onto your recordings unless you go into Settings and make a change.
Amazon, Google and Apple say they keep the recordings, and monitor them, to improve the accuracy of the assistants.
Beyond the speaker snooping, consumers should also be concerned about adding the third-party Alexa "skills" and Google "actions," to do more things with the speakers.
SRLabs developed eight bogus ones to show how easy it would be to exploit the speakers, calling them "smart spies" and posted several videos on YouTube to demonstrate.
Amazon and Google both say they have updated their processes for publishing new Alexa skills and Google actions to prevent this from happening.
"We have put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified," Amazon said in a statement. Said Google: "We are putting additional mechanisms in place to prevent these issues from occurring in the future."
In the videos, a researcher shows the bogus horoscope apps SRLabs created and how it could be tweaked with a bogus error message, followed by silence. The user thinks the app has stopped working, when in fact, it has taken control of the speaker and began recording.
In another example, the app says it needs to update and asks the user for a password (which Amazon and Google would never do) to complete the process.
(c)2019 U.S. Today
Distributed by Tribune Content Agency, LLC.