If you’re using one of those digital assistants like Alexa, Cortana or Google Home, you’ve probably gotten used to the idea that they’re sometimes listening to you when they’re not supposed to. (Either that or you really don’t follow the news very closely at all.) In addition to that, smart devices with cameras installed are probably recording videos and pictures of you when you don’t expect them to. But those are generally just instances of the people who make the devices looking for information to use when pitching ads to you. (Hopefully.)
As it turns out, however, hackers are able to come after you using the same systems by creating apps and hiding malware in them. As Ars Technica reports this week, developers were able to sneak apps into the app stores that were capable of recording your activities if you installed them on your devices. Isn’t that just wonderful?
The threat isn’t just theoretical. Whitehat hackers at Germany’s Security Research Labs developed eight apps—four Alexa “skills” and four Google Home “actions”—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these “smart spies,” as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords.
“It was always clear that those voice assistants have privacy implications—with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes,” Fabian Bräunlein, senior security consultant at SRLabs, told me. “We now show that, not only the manufacturers, but… also hackers can abuse those voice assistants to intrude on someone’s privacy.”
The details of what the whitehat hackers were able to do are disturbing, to say the least. They developed a series of apps for both Amazon and Google with malicious code hidden in them and were able to get all of them into the store and available to the public. This calls the companies’ vetting processes into question at a minimum.
In one example, an app performed the seemingly harmless service of generating a random number for the user. Another provided your “lucky horoscope” on any given day. Both of these apps appeared to function normally and then indicated that the process was complete and shut down. But the device was still listening, recording everything else said in the room and sending a transcript to the hacker’s server.
In another example, an app appeared to fail to perform and “shut down.” But then in a fake voice sounding like the digital assistant, it announced that an update was available and asked for the user to say or enter their password. That too was sent to the hacker’s server.
Check out this short video of one of the apps in action.
The linked article contains a detailed explanation of how these malicious apps pull off these tricks if you’re interested in that sort of thing. But the point is that the intruders conducting this test were easily able to do it (in multiple languages) and get the malware accepted into the online stores every time.
No, I don’t know what you’re supposed to do with this information aside from only downloading apps from trusted sources. But who’s a trusted source these days when even Amazon and Google have employees listening in on your activities. I have Cortana on my laptop because it came with that, but I’ve never enabled it. I also have the “okay Google” function on my phone that I use sometimes, but I don’t use all that many apps. This is apparently just one more risk you take every time you step out onto the information superhighway I guess.