Although smart home devices have proven to be quite helpful, the privacy and security concerns associated with them can’t be ignored. A recent research revealed that the vulnerabilities linked with the backend systems of Alexa and Google Assistant voice app can be used by attackers to eavesdrop on users and/or trick them into giving up their passwords or other sensitive details associated with the account.
According to the report published by Security Research labs, hackers can utilize non-readable characters such as a “�” in the code of Skills (Alexa Assistant) or Actions (Google Assistant). This character, when stumbled upon, causes the system to pause for a considerable amount of time. This leads to the user assuming that something has gone wrong with the app.
The attackers can use this pause to their advantage as it enables them to listen to whatever the user says in the meantime. They can also send a voice transcript of the conversation that occurs during the pause to a server dedicated to the hackers.
If that wasn’t concerning enough, the attackers can also issue a fake update message during the pause in their voice. Most of the times, the update prompts user to give up sensitive information such as password or linked accounts. This is a trick to gain access to a user’s Amazon or Google account without them knowing.
Unless strict inspection protocols are applied, these hackers can easily get a hold of key commands that will help them in operating the virtual assistants. Security Research Labs notified both Google and Amazon about the vulnerability but the companies have yet to resolve the issue. Additionally, the attackers can easily exploit the app updates’ code until it gets inspected.
A Google spokesperson spoke to ZDNet about this fiasco and said that every Action on Google must follow the developer policies and any Action that doesn’t comply gets detected (with the help of review processes) and removed. The spokesperson also added that the Google has removed the Actions mentioned in the report. Amazon hasn’t issued any comments on the ongoing situation yet.
Additionally, Google is also spreading the word that Google Assistant will never ask a user for password or other key information through a voice skill. This is being done to alert the users about the ongoing situation and save them from any harm.
Read next: A new Research Claims that Your PC can be used for Generating Thousands of Sextortion Emails per hour!
According to the report published by Security Research labs, hackers can utilize non-readable characters such as a “�” in the code of Skills (Alexa Assistant) or Actions (Google Assistant). This character, when stumbled upon, causes the system to pause for a considerable amount of time. This leads to the user assuming that something has gone wrong with the app.
The attackers can use this pause to their advantage as it enables them to listen to whatever the user says in the meantime. They can also send a voice transcript of the conversation that occurs during the pause to a server dedicated to the hackers.
If that wasn’t concerning enough, the attackers can also issue a fake update message during the pause in their voice. Most of the times, the update prompts user to give up sensitive information such as password or linked accounts. This is a trick to gain access to a user’s Amazon or Google account without them knowing.
Unless strict inspection protocols are applied, these hackers can easily get a hold of key commands that will help them in operating the virtual assistants. Security Research Labs notified both Google and Amazon about the vulnerability but the companies have yet to resolve the issue. Additionally, the attackers can easily exploit the app updates’ code until it gets inspected.
- Also read: New Hacking Technique Uses WAV Files
A Google spokesperson spoke to ZDNet about this fiasco and said that every Action on Google must follow the developer policies and any Action that doesn’t comply gets detected (with the help of review processes) and removed. The spokesperson also added that the Google has removed the Actions mentioned in the report. Amazon hasn’t issued any comments on the ongoing situation yet.
Additionally, Google is also spreading the word that Google Assistant will never ask a user for password or other key information through a voice skill. This is being done to alert the users about the ongoing situation and save them from any harm.
Read next: A new Research Claims that Your PC can be used for Generating Thousands of Sextortion Emails per hour!
