Your smart speakers could be listening for way more than you want them to. Recently, Security Research Labs (SRLabs), a hacking research group and think tank based in Germany, released a report on their findings that Alexa and Google Home expose users to phishing and eavesdropping due to third-party skills and apps. The labs found two possible scenarios that can be played out on both Amazon Alexa and Google Home where a hacker can listen to your interactions with your smart speaker and phish for sensitive information. They dubbed the vulnerabilities Smart Spies, recorded their results, and put them in four videos to explain how they work.
Basically, a hacker can make a third-party app that can trick users into giving away certain information or keep listening after ending a task with the user, using the speaker’s built-in voice command system. In their tests, using these vulnerabilities, SRLabs was able to request and collect personal data, including user passwords, and eavesdrop on users.
Google smart speakers are particularly vulnerable to eavesdropping. One of the vulnerabilities involves recording people after the user thinks the smart speaker has stopped listening. With Alexa, certain trigger words must be said to start recording, but with Google, that’s not the case. As long as the device hears someone talking every 30 seconds, a hacker can keep the voice recording going, possibly infinitely.
Safety checks that are run by Amazon and Google are part of the problem that allows these vulnerabilities to exist. SRLabs also found that even if Google or Amazon reviews a third-party app or skill for safety and it passes, the app can be changed after the safety review to phish or eavesdrop on users. Making these changes didn’t trigger another safety check from either Google or Amazon.
The best strategy to avoid hackers eavesdropping on your sensitive information? If an app or skill asks for a password, don’t answer. No trustworthy app or skill will ask you to say passwords. Most require you to go to the app and link your accounts, which is safer. Your smart speaker won’t ask you for passwords to perform system or account updates, either. In addition, don’t give your smart speaker your credit card information or other sensitive data. Avoid saying sensitive data out loud after recently using your smart speaker, too.
