Home devices were in the debate regarding security issues for a long time. Now, finally, Experts at Security Research Labs have uncovered vulnerabilities associated with Alexa and Google Assistant voice app backend systems that can secretly listen to a conversation and leak some major information like password.
The security experts demonstrated the vulnerabilities in proof-of-concept videos and revealed how easy it is trick users into giving up sensitive information such as passwords and account details.
As soon as the researcher says, OK Google, talk to the integer generator. The Amazon’s Alexa responds to the command as said Your random integer is 228, goodbye. The Alexa is supposed to shut down as it played the earcon sound, but actually that sound was recorded and played to falsely give the impression that the action had ended. But here is a trap and instead of getting close it kept waiting for more information and this input was then directly transmitted to the attacker’s server and also called an intent which outputs a short silence and keeps listening for more than 30 seconds. This is achieved by multiple client re-prompt messages, which each wait for more than 8 seconds for users’ responses. If one says anything in this time than it will be again transmitted to the attacker and restarts the intent. So, basically, it formed a loop where the attacker can listen to the conversations.
The malicious party can follow that up in their voice app with a code that reads a fake update message. In such cases, the false update voice prompt may ask users to say their password to install the update, and might also ask for more information such as the linked account. With this info, one can take control of an unsuspecting user’s Amazon or Google account.
The eavesdropping and phishing vulnerabilities can be exploited via the backend that Google and Amazon provide to developers of Alexa skills and Google Assistant actions. And in the absence of stringent vetting protocols, malicious parties can gain access to functions that provide them access to critical commands and subsequently control how the virtual assistants behave. Security Research Labs reported the vulnerability to Google and Amazon months ago, but they are yet to be patched. Moreover, since Amazon and Google do not vet the code of app updates, malicious parties have a free hand here.
A Google spokesperson told ZDNet regarding the issue that All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behaviour described in this report, and we removed the Actions that we found from these researchers. Amazon has not yet issued any statement.
Google also wants to spread awareness that the Google Assistant won’t ask them for sensitive information such as a password via a voice skill with the intention of keeping them aware of such deception.