contador web Skip to content

Videos show how easy it is to hack Google Home and Amazon Echo with malicious apps

Today, security experts and more cautious users worry about the popularization of smart speakers like Google Home and Amazon Echo. Now, the release of some very simple and didactic videos shows that these concerns are more justified than we would like.

The above video is part of a series produced by a German team called SRLabs. In their videos, security experts show that it is too easy to create an app that can bypass both Home and Echo's security and use the speaker to spy on their users' conversations.


Assistant arrives for headphones, speakers and soundbars

In the specific case of this first video, the person asks for Alexa, by Echo, his horscope of the day, through the installed app My Lucky Horoscope – The app was developed by the SRLabs staff themselves to show how spying by a malicious application can work – The request is met and the girl even sends the device "Stop". But, as we can see in the real-time programming window in the corner of the video, the app keeps running, even in silence, and he "listens" to what the user is saying next and transcribes the information, sending it anywhere he goes. the developer has chosen. This is also shown working on Google Home:

The hack is done similarly to both devices. While the application works, behind it are instructions that cause errors on the speakers on purpose, keeping it working even in silence. In the case of the Horscopo app, which can continue to operate even after listening to "Stop", this is because the app itself understands this command to continue working before Alexa, not allowing Echo to terminate the function. It automatically returns the same recorded message from Alexa saying that the app was terminated, but who is "telling" this is the malicious app, not the Echo system.

This recorded voice feedback from the app passing through the speaker system can also be used for phishing, whether via Google assistant voice or Alexa to ask user password:

Google has commented on the matter to the folks at Ars Technica:

"All actions on Google are required to follow our development policies and we prohibit and remove any Action * that violates these policies. We have review processes that detect the kind of behavior described in this article and we remove the Actions we found from these developers. We are putting in place additional mechanisms to prevent these problems from occurring in the future."

*To refers to app actions working on Google Home.

Source: Ars Technica. [TagsToTranslate] google home