Google Home and Amazon Alexa have admitted that conversations on their devices are not strictly confidential as they send some audio snippets to employees who listen to voice recordings of customers to help improve the software. Now a group of whitehat hackers has claimed that third-party apps hosted by Alexa and Google Home can log users’ conversations. They have even demonstrated it and showed how the apps can trick users into thinking that they aren’t active and still eavesdrop on them. They can even entice users to share sensitive information, developers of Security Research Labs, a Germany-based hacking research firm, said. They discovered the flaw earlier this year and informed both Google and Amazon about it. The firm has now released a series of videos to demonstrate how hackers could exploit it.
Developers created four Google Home “actions” and four Alexa “skills” that pose as random number generators or astrology apps but are designed to secretly listen to the voice of Google Home and Alexa users and send a transcript back to third-party servers. Certain versions of the app mimic Google Assistant or Alexa and pretended to offer some kind of software update and tempting users to input their password. All the apps passed security checks of Amazon and Google. This means that they could have been made available for users to download on either platform. Both companies have claimed that the issue has already been fixed.
In a video posted on YouTube, SRLabs explained how these apps work. First, these apps gave users the expected message like a brief horoscope or a randomly generated number. The voice assistant then goes silent, giving users the impression that the app has closed. However, it continues to run in the background and listen to conversations and send transcripts to the third-party server. A few minutes later, it will say there’s a company update and ask users to provide their password. However, there doesn’t appear to be any evidence about any such manipulation being carried by the hackers.