German security research consultancy Security Research Labs has dropped a security bomb on Amazon and Google, questioning the competence of security features and reviews.
As with all these revelations, the vulnerabilities were shared with the two companies prior to being made public. The hacks which have been discussed this week have now been addressed by Amazon and Google, though it does demonstrate the awareness consumers need to acquire should these devices maintain their presence in the living room.
“Alexa and Google Home are powerful, and often useful, listening devices in private environments,” the firm said in a blog entry.
“The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood. Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone.”
Although there is no such thing as 100% secure anymore, the competency of Amazon and Google has been called into question here. Vulnerabilities are nothing new in the digital economy, though the simplicity of some of these hacks are a little bit embarrassing for the internet economy’s poster boys.
The first hack is quite remarkable in the sense it is so simple. Security Research Lab created an application using the normal means and even submitted the application for review by the Amazon and Google security teams. Once the application had been green lit, the team went back in and changed the functionality, which did not prompt a second review from either of the review teams.
In this example, Security Research Lab created a fake error message to replace the welcome message to make the user think the application had not started properly, for example ‘this application is not available in this country’. After forcing the speaker to remain silent for an extended period of time, another message is introduced requesting permission for a security update. During this second message, the user is prompted to change his/her password, which is then captured and sent back to the Security Research Lab.
It is often said the simplest ideas are usually the best, and this is the same in the hacking world. Phishing is one of the most simplistic means to hack an individuals account via email, and this approach from Security Research Lab is effectively a phishing campaign translated to the voice user interface.
Amazon or Google would of course never ask a user for their password in this manner, but we suspect there are many users who would simply go with the flow. According to a Symantec security report, 71.4% of targeted attacks involved the use of spear-phishing emails so the approach clearly works. And now it can be applied to the voice interface.
While losing your password is a worry, the second hack unveiled by Security Research Lab is a bit more nefarious.
Once again, the application designed for the smart speakers are altered after the review from the security teams at Amazon and Google, however it is to do with when the speakers actually stop listening to the user. By introducing a second ‘intent’ which is linked to a command for the smart speaker to halt all functionality, the session can be extended.
In short, the device continues to listen and record its surrounding, before sending the data back to the attacker. This is obviously a very simplistic explanation, for more detail we would suggest following this link to the Security Research Lab blog.
Both of these examples are remarkably simple to introduce as the security review function of both Amazon and Google looked to be nothing more than a box-ticking exercise. Changes are seemingly ignored once the application has been passed the first time, offering a lot of freedom to the hacker. Both Amazon and Google will now have introduced new processes to block such attacks and improve the security review system, though it does appear to be a massive oversight.
Aside from the inadequacies shown here by Amazon and Google, Security Research Lab is perhaps demonstrating some of the biggest dangers of the digital economy; a lack of awareness by the general public. Most people download apps without checking the security credentials or reputation of the developer, and the same assumption could be made for growing ecosystem for smart speakers.