This is not the first time this issue has been addressed, but this is a clear confirmation regarding the security of some smart devices. Data protection experts from German form Security Research Labs (SRL) altered eight apps for the purpose of spying on Amazon Echo and Google Home users.
“Most users assume that voice apps are only activated when the user mentions an awake word; modified apps take advantage of this fact,” said Karsten Nohl, a member of the research team.
Data protection experts say that creating these “smart spies” was a relatively easy process, as no advanced programming knowledge was required. Altered applications provide services such as daily horoscope or random number generation.
When users stop interacting with the app the smart speakers respond with a departure message; however, instead of shutting down immediately, the software keeps running for several additional seconds. Thus, any phrase or word recorded during the time that the application keeps running was recorded and sent to the experts in charge of the investigation.
“It’s important to note that the target smart speakers’ lights were still on for those seconds after the device’s shutdown, so a cautious user shouldn’t have a problem identifying that the device is still active,” Nohl says.
During a similar attack, the user was sent a message that says: “A new security update for your device is available. Please say aloud ‘Start Update’, followed by your password”. In this attack, any words that the user mentioned to the smart speaker were registered and sent to the experts. Regarding this scenario, Nohl says: “This is an anomalous behavior, as it is assumed that no legitimate application should ask the user for their password”.
Moreover, David Emm, data protection expert at Kaspersky Lab assures that a key aspect of these security weaknesses has to do with the developers of the apps for Google Home and Amazon Echo, as they are often external companies. “We should remember that the listening capability of these devices also extends to the applications they work with,” the expert says.
The security firm notified both companies of the tests conducted. Google announced that it would remove altered apps: “In addition, we are implementing additional mechanisms to prevent these issues from occurring in real-world scenarios while using Google Home,” the company’s statement says.
On the other hand, Amazon also issued a statement: “The trust of our users is the most important thing. Upon receipt of the report, we immediately block the services mentioned and take steps to prevent and detect similar behavior in other services.”
This is not the first time that the use of these tools leaves doubts on privacy. A couple of months ago, data protection experts at the International Institute of Cyber Security (IICS) revealed that Google allows a third-party company to transcribe some samples of user conversations with the Google Assistant. Although the company claims this is done with the purpose of improving the voice assistant’s machine learning system, thousands of users were concerned, and is ignored under what parameters are the audio snippets that Google shares with third-parties.