Voice-Controlled Digital Assistants can Steal Your Password
For many, devices like the Amazon Echo or Google Nest present a serious privacy concern. More research has been presented to prove it. Security Research Labs has disclosed that eight voice applications were developed to be able to listen to people through devices from companies like Amazon and Google once it is presumed the app has stopped listening. This presents a vulnerability that could allow hackers to steal sensitive information such as passwords, social security numbers, or other personal information.
The apps demonstrated by Security Research Labs were disguised as horoscope apps. When the apps were prompted, they would respond with an error message. Instead of ending the recording process though, the app would keep listening in the background.
There are several videos available demonstrating the security risk presented from a voice-controlled digital assistant, but as you can see in the one in this post, the researcher demonstrates how Google Home can be maliciously used to phish for your password using the “horoscope app”.
With this news, Google and Amazon have both responded.
Google responded by stating "All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future."
Amazon’s response noted that "Customer trust is important to us, and we conduct security reviews as part of the skill certification process. We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified.”
Voice-controlled assistant devices face a lot of scrutiny. As devices such as Amazon Alexa and Apple’s Siri are internet-connected microphones, this presents a major security concern as Amazon, Apple and Google have all been accused of using human contactors to listen to conversations that the devices pick up to improve the software’s accuracy. Since this criticism, all three companies have adjusted their privacy policies related to accuracy research.
As a user, you should know that a company will never ask for your credentials through a voice-assistant. Keep yourself secure by informing yourself of the most up-to-date security issues involving voice-controlled devices, and remember to never provide your private credentials to any app on these devices.
Story via CNet