In the past year, privacy concerns regarding devices powered by Google Assistant and Amazon Alexa had hit the roof that many are now afraid to keep these devices open. Now, some Whitehat hackers from Germany have proof that attackers could abuse Google Home and Amazon Alexa devices to eavesdrop the activities of targeted users. Along with eavesdropping, this loophole can be used for phishing passwords as well. The attackers are doing this by designed Alexa Skills or Google Assistant actions that can collect the required set of information from targeted users.
This information was shared by a few Whitehat hackers from Security Research Labs, Germany. In order to point out the loophole, these hackers developed around eight Amazon Alexa skills and Assistant actions that were successfully able to eavesdrop on users and thus watch for potential password phishing. Quite worthy to be called ‘smart spies,’ most of these apps were disguised as horoscope tellers or random generators of content. In all these cases, users were keen enough to install these apps. More importantly, all these apps passed the security checks Google and Amazon has set up for Alexa skills and Assistant actions.
“It was always clear that those voice assistants have privacy implications—with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes. We now show that, not only the manufacturers, but… also hackers can abuse those voice assistants to intrude on someone’s privacy,” said Fabian Bräunlein, who is a senior security consultant of Security Research Labs. As they have said, the team has tried to point out the ways in which hackers are abusing the inherent privacy flaws of the Google Assistant or Alexa-powered applications in real life. The Whitehat team has also released a few videos that show how attackers can fool you via such apps.