Privacy is one of the things no one wants to compromise on, and frankly, no one should. And one of the subjects that might owe to compromise is smart speakers. The invasion in privacy range from employees listening to the recording to the auditors acquiring the user locations. And now, the security researchers reveal that the apps used to operate can be used to pester users as well.
Security researches from Security Research Labs raised the alarm when they found out that the apps supported by Amazon Alexa and Google Home could phish user and to eavesdrop on their conversations. The researchers from the firm created an app that could exploit the security vulnerabilities to hack the devices. This app is called Skills for Alexa and Actions for Google Home. The labs made numerous apps that looked and hid malicious code that exploits in background…yeah, just like a Trojan horse… Aren’t they used to pester users last time I checked, but these apps don’t.
SRL confirmed that the apps were able to extract personal information, including passwords, listen in on the user. This ‘thing’ kept going even after the users thought the speaker was no longer listening as it gave a fake error message that sounded like the speaker has closed to avoid suspicion. Instead, the speaker kept taking a record of what its user said at and after the moment of the apparent closing.
These apps were removed by Amazon and Google when the matter was disclosed before them. Previously these apps were approved by the moderation teams, and the remedy to the situation as per SRL is “To prevent ‘Smart Spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores.”
Both the companies assure that they are now in the process of strengthening their security measures, and these kinds of apps won’t be allowed in the future.