More than a year after first reports of phishing and eavesdropping vectors impacting Amazon Alexa and Google Home devices were made public, hackers continue to exploit these assistants as the two companies fail to address the security loopholes in their respective smart home devices (via ZDNet).
According to security researchers Luise Frerichs and Fabian Bräunlein from SRLabs, both the phishing and eavesdropping vectors are “exploitable via the backend that Amazon and Google provide to developers” of Alexa or Google Home custom apps.
For those who aren’t familiar, backends provide access to functions that developers can use to customize the commands to which a smart assistant responds and the way the assistant replies.
The SRLabs team discovered that by adding the “?. ” (U+D801, dot, space) character sequence to various locations inside the backend of a normal Alexa/Google Home app, they could induce long periods of silence during which the assistant remains active.
The character sequence is used to keep the device active and record a user’s conversation.
“Finding and banning unexpected behavior such as long pauses should be relatively straight-forward,” the SRLabs team told ZDNet. “We are surprised that this hasn’t happened since reporting the vulnerabilities several months ago.”
Meanwhile, a Google spokesperson has issued the following statement:
“All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future.”
Google has also said that its staff is currently reviewing actions from all third-party apps.