Alexa, do you hear or phish yet?

Alexa can use security holes for phishing attacks
For some years now, so-called smart speakers have been conquering our homes. They are supposed to make our everyday life easier by playing our favourite music, reading out recipes or maintaining digital shopping lists. But what do they eavesdrop when they shouldn't actually be listening?

The figures speak for themselves: Amazon has sold more than 100 million Echos worldwide. The figures for the Google Home Assistant should be similarly high. This means that hundreds of thousands of German households also have such speakers, and the trend is rising. In spring 2019, the devices came into focus when it became known that not only machines were listening in the background, but also people. Although Amazon and Google have improved their privacy settings, the question remains how secure the devices actually are.

Is there a risk of phishing attacks by smart speakers?

The danger of being bugged is one thing. Many users argue with: "I have nothing to hide!" But what about phishing attacks? When Alexa or Siri ask for passwords to access various user accounts? Can this happen to an user without them knowing it's an attack?
This question has also been asked by Berlin security researchers from SR Labs, with the result that cyber criminals would be able to spy on such data without much effort. The researchers used so-called skills or actions, with which the devices can expand their capabilities. These are often offered by third-party providers and this is where the first weakness was discovered. This is because Amazon and Google check for possible malware when the skills or actions are approved, but not when further updates are made. So once the program is on the platform, malicious code can be downloaded via updates. In a precise attempt, a program was installed which responds to activation with 'This action is not available in your country'. This is a lie and instead of switching itself off, it continues to run in the background. For this purpose it was programmed to read a jumble of unicode letters. You can't hear that because the speaker can't pronounce it. After a certain time you will be asked to enter 'start' and your password, because a new update can be downloaded.

Even though this procedure was only carried out as a so-called white-hathacking and no one was really asked to reveal the password, it clearly shows that withminimal effort such a scenario could be used by criminals to place orders via the user account, for example. If one has then submitted one's payment data to Amazon and has not yet activated the two-factor authentication, you can run into considerable financial loss.

The following three tips are easy to implement and will help you to improve your security awareness:

How can I protect myself from possible hacker attacks via smart speaker?

  1. Is the LED of the smart speaker illuminated? If so, the device is switched on and in 'listening mode'.
  2. Amazon and Google never ask for passwords via the smart speaker. So if you are asked for them, it is very likely to be a hacker attack.
  3. As a user you should always pay close attention to the developer(s) behind the programs. By doing a short online research with the names of the programs. This is usually done in a few seconds.