Hackers can spy on you via Alexa, Google Assistant
What's the story
Google Assistant and Amazon Alexa dominate as two incredibly impressive AI-powered voice assistants.
They are capable of handling a lot of tasks. But, if a recent security report is anything to go by, both digital helpers can be compromised by hackers to eavesdrop on your private conversations, steal your passwords.
Here's all you need to know about it.
Hack
Third-party skills/actions used to hack Alexa, Google Assistant
Just recently, the security researchers at SRLabs claimed that a malicious software disguised as a legit Alexa skill or Google action can be used to compromise your Alexa or Google Assistant.
The team shared a series of videos to show that hackers can upload a malicious code into a skill/action and use the same for listening in on private conversations, stealing confidential passwords.
Attack details
How the attack works?
At its core, the attack revolves around using a skill/action to feed the assistant (either of the two) a series of characters they couldn't pronounce.
This ultimately affects the AI in such a way that it continues to listen in on the conversation longer than usual without actually speaking out anything.
The recording is then automatically transcribed and sent to the hacker.
Exploits
Video demos detailing potential exploits
The researchers' videos displayed how this security flaw can be used to steal confidential information.
In one case, a Google action to generate random numbers kept listening on conversations, while in another a Horoscope skill continued recording even after the user commanded 'STOP'.
Two other videos showcased that similar programs can be used to generate fake errors, tricking you into giving away your password.
Comment
What Amazon and Google said about this
As both Amazon and Google have extensive checks in place for detecting malicious programs for their respective voice assistants, the security researchers uploaded the malicious code as part of an update for existing skills/actions.
In response, both companies reassured that they take down malicious skills immediately after detection and have mitigation in place to prevent more compromised programs from showing up in the future.
Information
Google conducting internal review of all actions
In addition to the security assurance, a Google spokesperson told Ars Technica that they have removed the malicious action uploaded by the researchers and are conducting an internal review of all third-party actions for proper security.