Latest in Gear

Image credit:

Google and Amazon approved home speaker apps that spied on users

The apps could be used for phishing attacks too.
421 Shares
Share
Tweet
Share
Save

Sponsored Links

Privacy is a hot topic in the realm of smart speakers, from employees listening in on recordings and auditors accessing user locations. Now, another issue regarding speakers has been raised, after security researchers revealed that apps accepted by the Amazon Alexa and Google Home platforms could be used to phish users and to eavesdrop on them.

Researchers from the firm Security Research Labs created the apps, known as Skills for Alexa and Actions for Google Home, which exploited security vulnerabilities to hack devices, as reported by Ars Technica. SRL created several apps for each platform which appeared to be legitimate skills like a horoscope app, but which actually hid malicious code.

The apps were able to collect personal data including passwords, and also eavesdrop on users even after they thought that the speaker was no longer listening. This worked by the app giving a fake error message which sounded as if it had closed, while it actually continued operating, even taking down a transcript of everything the user said after that point.

All of the malicious apps were approved by moderation teams, and were only removed when the researchers disclosed the issue to Amazon and Google. "To prevent 'Smart Spies' attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores," the SLR researchers concluded.

Both companies say they are now strengthening their processes for reviewing apps, but the prevalence of malicious smartphone apps on platforms like the Google Play Store demonstrates how difficult the task of security vetting apps is.

SLR had advice for smart speaker users as well: "The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood. Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
421 Shares
Share
Tweet
Share
Save

Popular on Engadget

The 2019 Engadget Holiday Gift Guide

The 2019 Engadget Holiday Gift Guide

View
Uber's first safety review contains thousands of sexual assault reports

Uber's first safety review contains thousands of sexual assault reports

View
Qualcomm teams up with 'Pokémon Go' developer to make AR glasses

Qualcomm teams up with 'Pokémon Go' developer to make AR glasses

View
Wirecutter's best deals - Jabra Elite 85h Bluetooth headphones drop to $200

Wirecutter's best deals - Jabra Elite 85h Bluetooth headphones drop to $200

View
Microsoft's redesigned Office mobile apps read text out loud

Microsoft's redesigned Office mobile apps read text out loud

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr