Hey Google, Install TotallyNotAWireTap - Alexa and Google Home devices easily exploited to eavesdrop and phish

[rcmaehl]

Sources:

ZDNet

SRLabs (Original Release)
ArsTechnica (Qoute/Media Source)

 

Summary:
Disguised Eavesdropping and Phishing apps easily pass through Amazon and Google smart device QA.

 

Media:

Quotes/Excerpts:

Quote

Privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users,...kept forever, and...can be used in criminal trials. Now,...a new concern: malicious apps developed by third parties. The threat isn't just theoretical. Hackers at Germany's Security Research Labs developed eight apps, four Alexa "skills" and four Google Home "actions". that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps. Behind the scenes, these "smart spies," as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords. The malicious apps had different names and slightly different ways of working, but they all followed similar flows.  A user would say a phrase such as: "Hey Alexa, ask My Lucky Horoscope to give me the horoscope for Taurus" or "OK Google, ask My Lucky Horoscope to give me the horoscope for Taurus." The eavesdropping apps responded with the requested information while the phishing apps gave a fake error message. Then the apps gave the impression they were no longer running when they, in fact, silently waited for the next phase of the attack. SRLabs eventually took down all four apps demoed. More recently, the researchers developed four German-language apps that worked similarly. All eight of them passed inspection by Amazon and Google. The four newer ones were taken down only after the researchers privately reported their results to Amazon and Google. As with most skills and actions, users didn't need to download anything. Simply saying the proper phrases into a device was enough for the apps to run. All of the malicious apps used common building blocks to mask their malicious behaviors. The first was exploiting a flaw in both Alexa and Google Home when their text-to-speech engines received instructions to speak the character "�." (U+D801, dot, space). The unpronounceable sequence caused both devices to remain silent even while the apps were still running. SRLabs privately reported the results of its research to Amazon and Google. In response, both companies removed the apps and said they are changing their approval processes to prevent skills and actions from having similar capabilities in the future. [Both Amazon and Google responded with statements]

 

Quote

Customer trust is important to us, and we conduct security reviews as part of the skill certification process. We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified. .... We have put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified. This includes preventing skills from asking customers for their Amazon passwords. It's also important that customers know we provide automatic security updates for our devices, and will never ask them to share their password.

 

Quote

All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future.

 

My Thoughts:

I believe that we will continue to see issues like this on any voice assistant device that allows installation of 3rd party apps. Just like with the existing phone app stores, shady developers will release similarly named or phrased applications in attempt to make money, steal passwords, and various other activities. With a phone you can at least read app reviews and get a star rating, I don't believe you can do the same with smart speaker apps. As such, these voice assistant app stores need much stronger verification that any regular marketplace and it seems no company is living up to that requirement at the moment.

Edited October 21, 2019 by rcmaehl
Eavesdropping >_>

[TVwazhere]

Sub Title: In a surprise to No One..... 

 

+1 reason to not buy a smart home assistant, probably ever. 

[That Franc]

Easedrop? That's some r/boneappletea moment right there.

[RejZoR]

Have they done the same with Siri? Just wondering since it's not mentioned...

[captain_to_fire]

Do you mean "eavesdrop"?

 

Edited October 21, 2019 by captain_to_fire
title has been edited at the moment ?

[rcmaehl]

30 minutes ago, That Franc said:

Easedrop? That's some r/boneappletea moment right there.

ez drop

gg no re

[HarryNyquist]

Who could have possibly foreseen this?!?

[StarbirdX]

8 minutes ago, HarryNyquist said:

Who could have possibly foreseen this?!?

I know, right?

[RedRound2]

Strong encryption, local processing and pretty much a firewall until the keyword is said, only then allowing it to connect to the internet can easily solve these problems.

 

But of course, Google and Amazon doesn't really want to do that.

[jiyeon]

Reason number #2814 to not get a smart home device.

 

Still remember when Spotify was offering free Google Home Minis with anyone on a Spotify Premium Family subscription and a lot of my colleagues had bought into the Family plan just for a free Mini.

I didn't get one and this is why.

[TechyBen]

3 hours ago, rcmaehl said:

Sources:

ZDNet

SRLabs (Original Release)
ArsTechnica (Qoute/Media Source)

 

Summary:
Disguised Eavesdropping and Phishing apps easily pass through Amazon and Google smart device QA.

 

Media:

Quotes/Excerpts:

 

 

 

My Thoughts:

I believe that we will continue to see issues like this on any voice assistant device that allows installation of 3rd party apps. Just like with the existing phone app stores, shady developers will release similarly named or phrased applications in attempt to make money, steal passwords, and various other activities. With a phone you can at least read app reviews and get a star rating, I don't believe you can do the same with smart speaker apps. As such, these voice assistant app stores need much stronger verification that any regular marketplace and it seems no company is living up to that requirement at the moment.

I'd happily give up all my privacy... if they could get Spotify to stop asking if I'd like to "upgrade to family account" I already have a PAID FOR ACCOUNT and it's blocking my assistant from "play/next/album" music actions.

[Yeah, I'm now the problem... hurry up with some offline assistants!]

[Commodus]

1 hour ago, sowon said:

Reason number #2814 to not get a smart home device.

 

Still remember when Spotify was offering free Google Home Minis with anyone on a Spotify Premium Family subscription and a lot of my colleagues had bought into the Family plan just for a free Mini.

I didn't get one and this is why.

I have a couple smart speakers, but then I'm also aware of the potential security issues and accept them.  It's another matter for people who aren't willing to accept the risks or are just oblivious!

[RejZoR]

2 hours ago, RedRound2 said:

Strong encryption, local processing and pretty much a firewall until the keyword is said, only then allowing it to connect to the internet can easily solve these problems.

 

But of course, Google and Amazon doesn't really want to do that.

But when convenience becomes so much of a hassle, why bother with it? You could just as well simply grab a phone or laptop and search for whatever manually.

[Deli]

Proudly sponsored by NSA and FSB.

[Jinchu]

1 hour ago, Deli said:

Proudly sponsored by NSA and FSB.

The research? Doupt.

[DrMacintosh]

5 hours ago, TVwazhere said:

+1 reason to not buy a smart home assistant, probably ever. 

You could buy a HomePod. They aren’t affected by this. 

[TVwazhere]

1 minute ago, DrMacintosh said:

You could buy a HomePod. They aren’t affected by this. 

I'm against ALL assistants in my household regardless of if they're affected by this or not. 

[DrMacintosh]

1 hour ago, TVwazhere said:

I'm against ALL assistants in my household regardless of if they're affected by this or not. 

[Trik'Stari]

These products are designed to spy on people so that the companies who make them can sell them to marketing companies.

 

In other news, the sky is blue.

 

Seriously, what our governments need to do is ascertain that the money made from the sale of such data belongs primarily to the people the information was collected from. Say 55% of the profits.

 

Oh look, they all stopped after that was determined.

 

9 hours ago, huilun02 said:

Im just hoping someone abuses this to such a degree that people will never trust such devices anymore.

 

> Silently record background speech to accumulate 30 minutes of speech, spread out over a month.

> Wait for a set trigger date.

> Upon trigger, the next time the owner speaks to the device, it plays back all recorded speech at max volume and stops taking voice commands.

> This happening across thousands of devices simultaneously.

 

You asked for it

Just use one of these to catch a member of congress (or any government) screaming at or beating their prostitute and you'll see online privacy become a basic human right over night.

 

That or the solution I mentioned above. Require these companies to give the majority share of money they get from marketing companies directly to the people they stol... I mean gathered, the information from.

[FezBoy]

6 minutes ago, Trik'Stari said:

Seriously, what our governments need to do is ascertain that the money made from the sale of such data belongs primarily to the people the information was collected from. Say 55% of the profits.

There are two problems with this, in my opinion.

1. Lobbying.  Everyone is too paid off to come to a conclusion like that
2. The general consensus seems to be that the service they provide is the compensation for the data.  They don't need to pay you for a service that they give you.

[Bacon soup]

did you know you can go to your google account settings and listen to all the things google has recorded from you? My account is full of swearing coz google doesnt understand my accent.

[Tech_Dreamer]

Hey, Alexa.  is this news true?

[Trik'Stari]

1 hour ago, FezBoy said:

There are two problems with this, in my opinion.

1. Lobbying.  Everyone is too paid off to come to a conclusion like that
2. The general consensus seems to be that the service they provide is the compensation for the data.  They don't need to pay you for a service that they give you.

The solution there is to present them with three options

 

1. We make this illegal. There are plenty of arguments as to why it should be.

2. We make you pay the customer a cut of the profits you are making from this, as they are morally entitled to some cut of the profits considering you are selling THEIR DATA.

3. We make the companies financially liable for the security of this information. And I mean extremely liable. Example: A customers information is hacked, they lose $500,000 because of it, you not only owe them the exact amount of money lost, but all the lawyers fees they will undoubtedly be forced to pay just to get the money out of you in the first place. None of that bullshit you see in Class actions where tens of thousands of people lose thousands of dollars per person, and end up getting $35 each as a "settlement".

[mxk]

makes me think of when someone was murdered and Alexa heard it and the government/court had to put up a huge fight to get the audio to help the case.

[FezBoy]

1 hour ago, Trik'Stari said:

The solution there is to present them with three options

 

1. We make this illegal. There are plenty of arguments as to why it should be.

2. We make you pay the customer a cut of the profits you are making from this, as they are morally entitled to some cut of the profits considering you are selling THEIR DATA.

3. We make the companies financially liable for the security of this information. And I mean extremely liable. Example: A customers information is hacked, they lose $500,000 because of it, you not only owe them the exact amount of money lost, but all the lawyers fees they will undoubtedly be forced to pay just to get the money out of you in the first place. None of that bullshit you see in Class actions where tens of thousands of people lose thousands of dollars per person, and end up getting $35 each as a "settlement".

1. Lobbying? Yes. Yes it should be. Too bad the lobbyists lobby against that.

2. This is like saying that if you give someone something in exchange for a service that you are entitled to a cut of whatever that person makes from selling that thing. Here's a parable:

Quote

You hire Encyclopedia Brown to prove that Bugs Meany stole something from you.  You pay him with your playstation.  After the case, Encyclopedia sells the PS4, as he is a PC gamer and needs a new graphics card.  You would not, nor should you expect to, receive any cut of that transaction.

Just as you sold the playstation to encyclopedia for his service, you sell your data to big companies for their service, and thus should not expect any cut of any transactions they make using it. The data is no longer your property.

 

3. I agree with this statement completely.  Edit: Scratch that. The companies should be liable for damages that they cause you, regardless of if it was due to the leaking of the data that they had collected on you or other causes. Generally holding companies accountable for damages they cause is a good thing, and should not be restricted to being for certain things.