Amazon Alexa and Google Home , now that they are increasingly entering our daily lives, are increasingly in the spotlight for privacy issues.
Let’s talk about it again because in the last few hours a new case came out that sees them involved in some phishing incidents due to third-party apps. Based on some tests published exclusively by the colleagues of SRLabs , the smart speakers that use Alexa and Google Assistant would be able to act as real spy devices that could steal users’ sensitive data. Such as? Continuing to record conversations despite the apparently concluded operations.
To demonstrate all this, the SRLabs researchers have created apps with a malicious code, four for Alexa and the same for Google Home, seven of these under the guise of horoscopes, one as a numerical generator. All of them have been approved by the security systems of both companies.
Tricking users of Alexa and Google Home
One of the two tricks is basically to make the user believe that the conversation with the voice assistant is over, but when it is not, the other trick is to use the bait of the software update to steal sensitive data as a name user, password or information on credit cards or e-mail.
For example, asking ” Alexa, go with today’s lucky horoscope for Taurus ” and then stopping the conversation, receiving the relevant confirmation from the assistant, will not lead to the conclusion of the chat at all, but the app will stop participating apparently , listening . Here is an example:
Stealing passwords and sensitive data
Even stealing the password or other sensitive data would be rather simple because, asking for an Alexa Skill, the latter will return an error message to you (the unavailability of the said skill in your country for example). In doing so, after a pause in which you believe the operation is finished, the malicious app will inform you with an almost equal voice to that of Alexa on the availability of a new update for the device, asking the user and password to proceed.
All this also applies to Google Home , which with a very similar procedure can be exploited by the bad guys to steal users’ sensitive information.
SRLabs has removed all the demonstration apps and promptly reported the problem to Google and Amazon , who promptly declared to get down to work immediately to change the approval processes in order to prevent all this from happening in the future.