Researchers found a new vulnerability affecting both Google and Amazon smart speakers that could allow hackers to eavesdrop and even phish on unsuspecting users.
The two vulnerabilities occur because both companies make their speakers smarter by allowing third-party developers to create apps or “skills” for them. On the other hand, Apple’s HomePod is safe as the company doesn’t allow this type of third-party access.
The vulnerability is a better reminder to be more alert towards the third-party software that you use with your voice assistants and to delete any that you’re unlikely to use again. Though there’s no evidence that such vulnerability has been exploited, SRLabs have disclosed their findings to both Amazon and Google before bringing it to the open.
The third-party apps should keep the microphones active for only a short time after the smart speaker asks the user a question. If you don’t reply within a few seconds, the microphone should be switched off again. However, malicious apps can leave the microphone activated and hence recording what it hears for much longer.
In a statement, Amazon said it has put new mitigations in place to prevent and detect skills from being able to do this kind of thing in the future. It said that it will take immediate action whenever this kind of behavior is identified.
Google also stated that it has review processes to detect this kind of behavior, and has removed the actions created by the security researchers. A spokesperson also confirmed to the publication that the company is carrying out an internal review of all third-party actions, and has for the time being disabled some actions while this is taking place.