Alexa and Google Home spying apps easily made it through approval

Posted:
in General Discussion
A security research organization in Germany placed eight 'smart spies' in both the Amazon Alexa and Google Home app stores to demonstrate how easily eavesdropping and phishing can be done over smart speakers.

Echo Dot


German organization Security Research Labs has demonstrated both that malicious apps can be created for Alexa and Google Home, and that they can pass security vetting. The company successfully created eight such apps that they called "Smart Spies." Each was designed to eavesdrop or phish, and each was then approved by Amazon and Google.

"It was always clear that those voice assistants have privacy implications-- with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes," Fabian Braunlein, senior security consultant at SRLabs, told Ars Technica.

"We now show that, not only the manufacturers, but... also hackers can abuse those voice assistants to intrude on someone's privacy," he continued.






The Smart Spies skills on Alexa or actions on Google Home were all able to eavesdrop on users after they should have stopped listening. Some were phishing ones that told users there was an update and asked for passwords.

According to SRLabs documentation, the company relied on how certain elements of an Alexa voice skill can be changed after it has passed Amazon's review process.

It also took advantage of the ability for developers to insert very long pauses in the speech output of either Alexa skills or Google actions. This is achieved by asking either smart speaker to repeatedly say an unpronounceable series of ASCII or ISO codes.

This meant the voice apps would go silent and so appear to have ended, when in reality they were waiting up to a minute to ask phishing questions.





SRLabs disclosed the apps and its research to Amazon and Google, both of whom have now removed the apps. Both companies then responded to SRLabs with statements about preventing this being done again.

"This is no longer possible for skills being submitted for certification," said an Amazon spokesperson in a written statement to SRLabs. "We have put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified."

"All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies," said a Google spokesperson in a similar statement.

"We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers," continued Google's spokesperson. "We are putting additional mechanisms in place to prevent these issues from occurring in the future."

Ars Technica reports that Google is now reviewing all third-party Google Home actions.

SRLabs did not place any Smart Spies on Apple's HomePod, as this does not currently support third-party actions.

Previously, Amazon has been reported to use thousands of workers to monitor recordings of spoken commands issued to the company's smart speakers and other devices. Google has done the same, and so has Apple.

Comments

  • Reply 1 of 13
    Do we know if any of these Skills or Actions were installed and used by unsuspecting people?
    cornchipwatto_cobra
  • Reply 2 of 13
    Do we know if any of these Skills or Actions were installed and used by unsuspecting people?
    It's going to be hard to isolate whether the people were unsuspecting or not.
    watto_cobra
  • Reply 3 of 13
    Perhaps.... thy were removed because they interfered with the resident spyware on the devices?
    No matter. None of this [redacted] [redacted] stuff will get past my front door (or back door for that matter). This also includes Homepod. I've managed for 66 years without this stuff and I can manage a few more thanks.

    Japheybaconstang
  • Reply 4 of 13
    The strong response from Google and Amazon is “we removed the apps”. The weaker response was “we told them not to do that and will remove their apps if they do”. 
    StrangeDayslolliverbaconstangchasmwatto_cobra
  • Reply 5 of 13
    Wgkrueger said:
    The strong response from Google and Amazon is “we removed the apps”. The weaker response was “we told them not to do that and will remove their apps if they do”. 
    They wouldn’t know if not told about it.....so we know how easy it is
    lolliverbaconstangfrantisekwatto_cobra
  • Reply 6 of 13
    Do we know if any of these Skills or Actions were installed and used by unsuspecting people?
    It's going to be hard to isolate whether the people were unsuspecting or not.
    Sure, “to isolate”, but I feel that if the Skills/Actions were installed 50 times then maybe they were all by the researchers. If they were installed 100,000 times then we can assume that a large portion of the users were unsuspecting. I mean, that was the whole point of creating the Skills/Actions in the first place, to get unsuspecting people to install them. 
    lolliverwatto_cobra
  • Reply 7 of 13
    "We are putting additional mechanisms in place to prevent these issues from occurring in the future."

    Ok, Google. ;)
    edited October 2019 philboogiecornchipbaconstangwatto_cobra
  • Reply 8 of 13
    StrangeDaysStrangeDays Posts: 11,154member
    Sounds like real secure platforms they have there. Attack could not be deployed on HomePod. “But HomeKit is losing in home automation!”
    cornchiplolliverbaconstangwatto_cobra
  • Reply 9 of 13
    MplsPMplsP Posts: 2,935member
    Sounds like real secure platforms they have there. Attack could not be deployed on HomePod. “But HomeKit is losing in home automation!”
    This is separate from Homekit.

    Homekit is losing in automation because it's significantly more expensive, totally incompatible with any existing devices, has fewer devices available, and is less capable. I installed a couple HomeKit devices at our cabin to try it and have been very unimpressed. There have been routine disconnects and issues with devices being unavailable and I haven't gotten Siri to work yet. The device enrollment process is very easy until it doesn't go right, then it's damned near impossible. I have an 8 year old Schlage/Nexia that came with our house when we bought it. It's far more functional, useful and reliable. 


    edited October 2019
  • Reply 10 of 13
    StrangeDaysStrangeDays Posts: 11,154member
    MplsP said:
    Sounds like real secure platforms they have there. Attack could not be deployed on HomePod. “But HomeKit is losing in home automation!”
    This is separate from Homekit.

    Homekit is losing in automation because it's significantly more expensive, totally incompatible with any existing devices, has fewer devices available, and is less capable. I installed a couple HomeKit devices at our cabin to try it and have been very unimpressed. There have been routine disconnects and issues with devices being unavailable and I haven't gotten Siri to work yet. The device enrollment process is very easy until it doesn't go right, then it's damned near impossible. I have an 8 year old Schlage/Nexia that came with our house when we bought it. It's far more functional, useful and reliable. 
    The attack vector was skills, which is home automation, which puts it squarely in competition with HomeKit. But as we see it’s less secure and has more vulnerabilities. 

    No problem with an entire household of HK accessories, years in now. I suspect whatever problem you’re having is unique to your environment. 

    You enjoy your cheap stuff, I’ll enjoy my secure stuff that costs more. 
    cornchiph2plolliverp-dogchasmwatto_cobra
  • Reply 11 of 13
    MplsPMplsP Posts: 2,935member
    MplsP said:
    Sounds like real secure platforms they have there. Attack could not be deployed on HomePod. “But HomeKit is losing in home automation!”
    This is separate from Homekit.

    Homekit is losing in automation because it's significantly more expensive, totally incompatible with any existing devices, has fewer devices available, and is less capable. I installed a couple HomeKit devices at our cabin to try it and have been very unimpressed. There have been routine disconnects and issues with devices being unavailable and I haven't gotten Siri to work yet. The device enrollment process is very easy until it doesn't go right, then it's damned near impossible. I have an 8 year old Schlage/Nexia that came with our house when we bought it. It's far more functional, useful and reliable. 
    The attack vector was skills, which is home automation, which puts it squarely in competition with HomeKit. But as we see it’s less secure and has more vulnerabilities. 

    No problem with an entire household of HK accessories, years in now. I suspect whatever problem you’re having is unique to your environment. 

    You enjoy your cheap stuff, I’ll enjoy my secure stuff that costs more. 
    I have no idea if the problem is unique to my environment, all I know is it doesn't work. I have no problem paying more for something that's better;  Paying more for fewer features and poor reliability is a no-go. As for security, if it doesn't work, security is a moot point. My Nexia system has had no issues, so I'll stick with it.
    edited October 2019 muthuk_vanalingam
  • Reply 12 of 13
    I will not have an Alexa or Google Home product in my house. If a home automation product is not HomeKit capable, it will not enter my domicile.
    badmonkwatto_cobra
  • Reply 13 of 13
    MacProMacPro Posts: 19,251member
    p-dog said:
    I will not have an Alexa or Google Home product in my house. If a home automation product is not HomeKit capable, it will not enter my domicile.
    100% agree.
    badmonkwatto_cobra
Sign In or Register to comment.