Creepiest Alexa and Google Assistant security fail yet

Everyone was easily fooled.
By Marcus Gilmer  on 
Creepiest Alexa and Google Assistant security fail yet
Be careful, it might be listening Credit: GETTY IMAGES / ISTOCKPHOTO

Because we don't have enough concerns about our digital privacy these days, it seems Amazon's Alexa and Google Home both gave thumbs up to apps that could be used to eavesdrop on users and phish for their passwords.

As reported by Ars Technica, whitehat hackers at Germany's Security Research Labs developed four apps, called "smart spies," for each device that passed muster with Amazon and Google's respective vetting processes, meaning they were approved for public use.

SRLabs disguised these malicious apps as useful tools like horoscope apps and random number generators. They were even given vague, generic names like "Skills" (for Alexa) and "Actions" (on Google Home).

The researchers developed two kinds of apps, one for eavesdropping and another for phishing.

The eavesdropping apps work just fine, but here's the scary part: After they share a message that makes it seem like they are no longer running, they still record everything a user says.

Here is the Alexa skill in action.

And the random number generator created for Google Home.

Pretty damn creepy, right? And cause for concern, especially given what we've learned in recent months about the conversations that Alexa, Google Assistant, and Apple's Siri record. And while those companies have all sworn to improve their respective systems and offer opt-outs, it's the phishing apps from SRLabs that are really disconcerting.

In each case, the digital assistant responds to a user request with an error message and seems to quit. But the malicious app is actually waiting for a few moments before claiming an update for the device is available. It then requests a password so it can install the update.

Smart, security conscious users should be alarmed by this, knowing you should never be asked for a password in this way. But, chances are, people who aren't as tech savvy, like your relatives who believe everything they read on Facebook, might be fooled.

In a blog post, SRLabs shares some interesting tidbits about how they got the hacks to work. For instance, with the Alexa eavesdropping app, after it gives its false closing message, the app needs a trigger word to being recording again. It's not that hard to pull off with a generic trigger word like, "I."

But SRLabs reveals that the same hack for the Google Home is far easier to trigger: "For Google Home devices, the hack is more powerful: There is no need to specify certain trigger words and the hacker can monitor the user’s conversations infinitely."

Again, this is incredibly alarming given that all of these apps were approved by moderation teams for both Amazon and Google. According to Ars Technica, the original four apps demoed in the videos above were taken down by SRLabs themselves while four similar, German-language apps were taken down only after SRLabs disclosed the vulnerabilities to both companies.

An Amazon rep told Ars Technica, "Customer trust is important to us, and we conduct security reviews as part of the skill certification process. We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified."

Meanwhile, a Google rep told them, "All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future."

We reached out to Amazon and Google for further comment on the report.

And, as always, trust no one.

Mashable Image
Marcus Gilmer

Marcus Gilmer is Mashable's Assistant Real-Times News Editor on the West Coast, reporting on breaking news from his location in San Francisco. An Alabama native, Marcus earned his BA from Birmingham-Southern College and his MFA in Communications from the University of New Orleans. Marcus has previously worked for Chicagoist, The A.V. Club, the Chicago Sun-Times and the San Francisco Chronicle.


Recommended For You
'The Crow' soundtrack turns 30: Looking back on the album that defined an era
Composite of images of Brandon Lee, Rob Zombie, Trent Reznor, and Robert Smith of The Cure.

'La Chimera' review: Josh O'Connor goes tomb raiding in this magical film
A group of men and women stand in a doorway, flanking a tall man in a white suit.

'Lisa Frankenstein' review: John Hughes and Tim Burton's twisted love child has risen
Kathryn Newton as Lisa Swallows and Cole Sprouse as The Creature in "Lisa Frankenstein."

'Godzilla x Kong: The New Empire' review: Do the puny humans spoil the fun again?
Godzilla and Kong roar together in "Godzilla x Kong: The New Empire."

'Sing Sing' review: Colman Domingo delivers in prison-set friendship drama
Colman Domingo and Clarence Maclin deliver tremendous performances in "Sing Sing."

More in Tech
Trans people are turning to VR as society fails them
pink person inside a cracking egg surrounded by screens

Celebrate spring blooms with flowery Lego sets on sale for 20% off at Amazon
a woman builds a bouquet of lego flowers




Trending on Mashable
NYT Connections today: See hints and answers for March 29
A phone displaying the New York Times game 'Connections.'

Wordle today: Here's the answer and hints for March 29
a phone displaying Wordle

NYT's The Mini crossword answers for March 29
Closeup view of crossword puzzle clues

NYT Connections today: See hints and answers for March 28
A phone displaying the New York Times game 'Connections.'

The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!