Smart speaker, can phishing or eavesdropping?

It is reported that speakers with voice-recognition assistants such as Amazon Echo and Google Home can approve phishing and eavesdropping apps.

A security research team from Germany’s Security Research Labs created an action for Alexa and Google Home to inform how to exploit voice recognition speakers. It is disguised as a legitimate technology such as a fortune-telling app, and in fact, it has a built-in function that allows phishing and eavesdropping to penetrate system vulnerabilities.

The way to operate third-party apps is that the smart speaker first asks a question to the user, and then the microphone is activated after a short period of time. For example, if you tell Alexa to add something to the shopping app’s basket, the app checks the product details and checks if it’s as ordered. At this point, the echo mic activates in seconds, or turns off again.

However, the malicious app remains in this state while using the microphone. A specific character string that causes a pause after checking the question is used. Eavesdropping, which transmits the recorded conversation to the attacker server, is feasible. You can check the actual operation through the video.

The basic principle of phishing is the same. For example, a fortune-telling app returns an error message stating that its use is not allowed in this country, then uses a long pause, tricks you into thinking that the app has just finished, and pretends to be Amazon or Google and tricks your password into asking questions. to be.

All of these camouflage apps have passed approvals from Google and Amazon. According to the SR Labs investigation, the two companies reported that they deleted the app after being privately reported. Both companies said they would change the approval process to prevent technologies and actions from having similar functions.

SR Labs demanded strict screening from Google and Amazon, while warning users to be aware of the potential risk of voice apps that abuse smart speakers and to be cautious when using new voice apps, such as installing new apps on their smartphones. . Related information can be found here .