Users of Amazon Echo and Google Home speakers are having their privacy compromised by apps approved by the smart speakers’ tech manufacturers.
The revelations come after German company, Security Research Labs (SRL) created eight “smart spies” which were packaged as providers of horoscopes and random number generators.
Once the apps had been given the green light, researchers at the Berlin-based firm updated Echo Skills and Home Actions to listen in on consumers’ conversations and take a note of passwords.
The capabilities were passed onto US companies concerned, which promptly blocked the technology.
SRL’s chief scientist, Karsten Nohl, told BBC news:
“Smart spies undermine the assumption that voice apps are only active as long as they are in dialogue with the user.”
According to Nohl, the apps were pretty easy to put together and could be manufactured by people with relatively little coding experience.
When a user said a command such as: “Alexa, turn on my horoscopes,” or: “OK Google, ask My Lucky Horoscope to give me the horoscope for Taurus,” the apps would come to life. A “Goodbye” message would be played if a user turned the app off, but the software would continue to run for a few more seconds, as opposed to turning off immediately.
If the user said certain words or phrases in that short window of recording, their speech was transcribed and returned to SRL. Users were given a clue that this was taking place, because the smart speaker light would remain glowing, showing that mechanisms were still running, Mr Nohl explained.
The app would also begin spying after saying: “An important security update is available for your device. Please say, ‘Start update,’ followed by your password.”
Anything said by the user after the word “Start” was also sent back to SRL.
“Users should be very suspicious when any smart speaker asks for a password, which no regular app is supposed to do,” Mr Nohl continued.
David Emm, a security specialist at Kaspersky Lab, said:
“We all need to aware of the capabilities of these devices,” he said.
“They’re ‘smart listeners’, not just smart speakers. Their capabilities extend to apps that we use with them.”
“We are putting additional mechanisms in place to prevent these issues from occurring in the future.”
“Customer trust is important to us and we conduct security reviews as part of the skill certification process.
“We quickly blocked the Skill in question and put mitigations in place to prevent and detect this type of Skill behaviour and reject or take them down when identified.”
The post #Privacy: Apps listen in on owners of Amazon Echo and Google Home appeared first on PrivSec Report.