Study suggests its quite easy to hack smart speakers

German security research consultancy Security Research Labs has dropped a security bomb on Amazon and Google, questioning the competence of security features and reviews.

As with all these revelations, the vulnerabilities were shared with the two companies prior to being made public. The hacks which have been discussed this week have now been addressed by Amazon and Google, though it does demonstrate the awareness consumers need to acquire should these devices maintain their presence in the living room.

“Alexa and Google Home are powerful, and often useful, listening devices in private environments,” the firm said in a blog entry.

“The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood. Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone.”

Although there is no such thing as 100% secure anymore, the competency of Amazon and Google has been called into question here. Vulnerabilities are nothing new in the digital economy, though the simplicity of some of these hacks are a little bit embarrassing for the internet economy’s poster boys.

The first hack is quite remarkable in the sense it is so simple. Security Research Lab created an application using the normal means and even submitted the application for review by the Amazon and Google security teams. Once the application had been green lit, the team went back in and changed the functionality, which did not prompt a second review from either of the review teams.

In this example, Security Research Lab created a fake error message to replace the welcome message to make the user think the application had not started properly, for example ‘this application is not available in this country’. After forcing the speaker to remain silent for an extended period of time, another message is introduced requesting permission for a security update. During this second message, the user is prompted to change his/her password, which is then captured and sent back to the Security Research Lab.

It is often said the simplest ideas are usually the best, and this is the same in the hacking world. Phishing is one of the most simplistic means to hack an individuals account via email, and this approach from Security Research Lab is effectively a phishing campaign translated to the voice user interface.

Amazon or Google would of course never ask a user for their password in this manner, but we suspect there are many users who would simply go with the flow. According to a Symantec security report, 71.4% of targeted attacks involved the use of spear-phishing emails so the approach clearly works. And now it can be applied to the voice interface.

While losing your password is a worry, the second hack unveiled by Security Research Lab is a bit more nefarious.

Once again, the application designed for the smart speakers are altered after the review from the security teams at Amazon and Google, however it is to do with when the speakers actually stop listening to the user. By introducing a second ‘intent’ which is linked to a command for the smart speaker to halt all functionality, the session can be extended.

In short, the device continues to listen and record its surrounding, before sending the data back to the attacker. This is obviously a very simplistic explanation, for more detail we would suggest following this link to the Security Research Lab blog.

Both of these examples are remarkably simple to introduce as the security review function of both Amazon and Google looked to be nothing more than a box-ticking exercise. Changes are seemingly ignored once the application has been passed the first time, offering a lot of freedom to the hacker. Both Amazon and Google will now have introduced new processes to block such attacks and improve the security review system, though it does appear to be a massive oversight.

Aside from the inadequacies shown here by Amazon and Google, Security Research Lab is perhaps demonstrating some of the biggest dangers of the digital economy; a lack of awareness by the general public. Most people download apps without checking the security credentials or reputation of the developer, and the same assumption could be made for growing ecosystem for smart speakers.

Sprint customers victim of another hack

Sprint is the latest telco to become the victim of cybercrime as an unknown number of customers have had their personal data eyed over by nefarious parties.

In a letter sent to customers, Sprint has suggested a huge amount of personal information has been exposed to the darker corners of the internet. The hackers gained access via the Samsung ‘add a line’ website, with the total number of impacted customers being unknown for the moment.

“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com ‘add a line’ website,” the letter states. “We take this matter, and all matters involving Sprint customer’s privacy, very seriously.”

An ‘add a line’ website is one utilised by third-parties, mainly device manufacturers, if customers want to add an additional phone line to an existing contract with a telco. Sprint offers this feature to customers who would like to add more individuals or devices to existing contracts.

This is of course not the first time Sprint customers have been the victim of the darker practices of the web, with the pre-paid brand Boost being compromised in March. Again, Sprint was not transparent with the severity of the breach, though in this instance a common technique called a credential stuffing attack was used.

Looking at the latest breach, exposure is quite severe. The hackers gained access to phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services.

Sprint has played down the risk in the letter, suggesting no other information ‘that could create a substantial risk of fraud or identity theft’ had been accessed. Sprint might want to play down the severity of the hack, but many will disagree with the laissez faire attitude.

“When attackers manage to hijack legitimate access rights, they can remain undetected for extended periods of time,” said Saryu Nayyar, CEO of cybersecurity firm, Gurucul.

“Many organisations don’t have the ability to identify subtle behavioural anomalies that are indicators of cyber threats. But with advanced machine learning algorithms it’s possible to spot behaviours that are outside the range of normal activities and intervene before the damage is done.”

Details are relatively thin on the ground right now, it is possible Sprint does not fully understand the severity of the breach at this point, though this is further evidence of security being an afterthought. Attitudes are changing for the better, though it is clear not enough firms are secure enough for today’s digitally-defined society.

Uber concealed data hack affecting 57 million users for a year

Hackers accessed a bunch of data on Uber drivers and customers in late 2016 but the company chose not to notify either regulators or those affected.

This is just the latest legacy bestowed on Uber CEO Dara Khosrowshahi by his predecessor and Uber founder Travis Kalanick. The company seems to be a magnet for controversy and recently had its license to operate in London revoked over public safety concerns. Khosrowshahi was brought in earlier this year to steady the ship, but skeletons keep emerging from the corporate closet.

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” wrote Khosrowshahi in an announcement. “The incident did not breach our corporate systems or infrastructure. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”

From the many reports on this it appears the hackers got hold of some login details for an AWS account and it was from there that they downloaded the data. They then used that data to blackmail Uber, in the manner that is becoming increasingly common in the cyber-crime world.

Data breaches have become so common in recent years that we might not have even bothered reporting on this one were it not for the way Uber handled it. Apparently it paid the hackers $100,000 to delete the data and keep quiet, and then made out like the payment was a ‘bug bounty’ that is commonly paid to by companies to hackers to test their security.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” wrote Khosrowshahi. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

The dodgy part of all this is the extent to which it was hushed-up. Uber’s Chief Security Officer – Joe Sullivan – has already been shown the door for the part he played in it and it asks further questions of Kalanick, who remains on the company’s board. The New York Attorney General has already opened an investigation into the matter and given the company’s track record it can expect to be given little benefit of the doubt.