Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds
Researchers at Security Research Labs (SRL) demonstrated how applications (called Skills in Amazon Alexa and Actions on Google Home) can be used to exploit security issues in the ways certain device functions are operated through the apps.
SRL’s report showed how sensitive data like account credentials and payment information can be stolen through the following:
- Create a benign application and get it reviewed by Amazon or Google
- Modify the app after it’s been reviewed and approved, then set its welcome message to appear like an error (e.g., “This skill is currently not available in your country”) and adding long pauses (e.g., having the app read unpronounceable characters)
- Trick the user by setting messages in the app (e.g., “An important security update is available for your device. Please say start update followed by your password.”) that will prompt the user to disclose sensitive data
- Send the captured data as a slot value (user inputs via utterances) to the attackers
To show how threat actors can eavesdrop on the device’s owners, the researchers used a variation of the techniques used to steal data. In this case, it uses Alexa and Google Home’s “intent,” which is an action that fulfills a user’s spoken request.
In particular, the attack will use the functions triggered by words “stop,” and others that may be of interest to the threat actors (i.e., “email,” “password,” “address”). After the review process, the app is modified so that the function for “stop” triggers the “goodbye” function followed by a long pause in order to deceive the user into thinking that the app has quit. Once a user says sentences with trigger words set by the attackers, they will be saved as slot values then sent to the attackers. The hack is more potent in Google Home devices, as they don’t need trigger words and the device can be eavesdropped on indefinitely.
SRL has already notified Google and Amazon, and both companies have removed the Skills and Actions used in the SRL research.
SRL’s research is yet another example showing that IoT devices are not impervious to vulnerabilities and privacy risks. In 2017, Trend Micro researcher Stephen Hilt showed how Sonos speaker systems, when left with default passwords, exposed to the internet, or connected to misconfigured routers, can leak sensitive information that can be used to phish users. Last year, a team of researchers reported on “voice squatting,” a technique similar to typo squatting, where Alexa and Google Home devices can be tricked into opening attacker-owned apps instead of legitimate ones.
The attacks Trend Micro saw in the first half of 2019 is just a sign of things to come in the IoT threat landscape, and they are expected to diversify in techniques and targets as IoT adoption continues to increase. The privacy and security risks aren’t just limited at home, what with IoT’s ubiquity in the workplace and the impact to businesses when they’re compromised.
Securing the IoT can also be considered a shared responsibility. Users and businesses, for their part, should practice security hygiene: updating credentials, securing the access points that IoT devices use (e.g., routers), and applying the latest patches, among others. Vendors, manufacturers, and third-party app developers must also incorporate privacy and security into the products they develop and distribute.
The Trend Micro Smart Home Network solution provides an embedded network security solution that protects all devices connected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, Trend Micro Smart Home Network offers intelligent quality of service (iQoS), parental controls, network security, and more.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report