Attention Google and Amazon Echo smart speaker users! Researchers at the German internet security firm Security Research Labs (SRLabs) have discovered an opportunity to eavesdrop on users via third-party apps.
The rogue audio apps use a feature in the Google and Amazon speakers that can extend the functionality of the devices. This can be done by installing a so-called ‘action’ or ‘skill’ respectively.
Security Research Labs (SRLabs) has developed malicious apps for both speakers. The operation of the malicious apps is the same as that of the companies’ smart assistants: both work with voice commands. The user utters a command and then makes contact with the virtual assistant.
The apps abuse the punctuation mark ‘ ‘ in both scenarios, followed by a period and a space. This character cannot be spoken, resulting in the speaker microphone remaining activated without the user’s knowledge.
The rogue app would then forward the tapped information to its own servers by convincing the user to say the word ‘start’. In this way, the hacker gains easier access to personal information, passwords or e-mail addresses.
There are no reports of this cunning method in the wild yet, but the researchers do warn of potential abuse. “Users should approach a new voice app with the same caution as installing a new app on their smartphone.”
Source: Nu.nl
