Amazon and Google unwittingly approved smart-speaker apps designed to eavesdrop on users and steal their passwords
- Researchers planted spying apps on Google and Amazon smart speakers
- The apps tested device security and were approved by Google and Amazon
- Apps eavesdropped and attempted to steal users’ passwords
- Experts warns that smart speakers can and will be targeted by hackers
Researchers successfully sneaked malicious apps behind the defenses of two major smart speaker companies in a test on their security practices.
Experts at Security Research Labs say the apps were design to target personal data like voice-recordings and passwords of both Google Home and Amazon Echo users by posing as software that reads horoscopes through voice-commands.
The apps were only removed once researchers made the company aware of their test.
Security researchers planted eight apps designed to spy on users onto the Google Home and Amazon Echo (pictured above) as part of a test on device security (File photo)
All eight of the apps designed by the researchers were able to bypass Amazon and Google defenses and were approved by the companies’ moderation teams – a lapse that experts say invites even greater scrutiny on smart devices’ privacy and safety standards.
MailOnline reached out to Google and Amazon for comment and will update with further information.
‘As the functionality of smart speakers grows so too does the attack surface for hackers to exploit them,’ write the researchers in their report.
‘The flaws allow a hacker to phish for sensitive information and eavesdrop on users. We created voice applications to demonstrate both hacks on both device platforms, turning the assistants into “Smart Spies”.’
One app was designed to trick users into thinking their device no longer listening by announcing a fake error message after being roused by a wake-word.
In reality, however, the app remains open with the microphone engaged which would allow hackers to eavesdrop on any subsequent conversations within earshot.
Another attack serves users a fake prompt asking for users to update their systems by spelling out their password. That transcript is then captured and sent to a remote server.
Google’s brand of smart home products like its Nest Mini (pictured above) are among the most popular voice-controlled products on the market (File photo)
Researchers say exploits should act as a wake-up call for users of microphone-enabled smart home devices who may not be aware the technology can be exploited by hackers.
‘The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood,’ the researchers write.
‘Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone.’
Google, Amazon, Apple, Facebook, and Microsoft were all recently swept up in their own scandals after the companies were found to be using contractors to pore over voice-commands given by users of their products.
The programs often scraped up audio not intended for their devices like business calls, sex, porn searches, and other private conversations.