For many, the advent of home speakers like Amazon’s Alexa and Google Home were must-have tech devices. Their simplicity centered round voice activation technology was hailed in some corners. In other more skeptical corners, privacy concerns dominate the debate. For security researchers searching for vulnerabilities and flaws were just part of their daily job. In 2018, some of these flaws were brought to the public’s attention with both Amazon and Google looking to solve the problems. Now, researchers working with SR Labs have published their findings detailing how the popular home speaker devices can be used for phishing and eavesdropping by threat actors.
Both of the phishing and eavesdropping attack vectors discovered center around the backends provided by the tech giants for developers to develop apps. The backend provided allows developers to create apps that allow the hardware to respond to certain commands. Often these commands are customizable so developers can create unique apps serving numerous needs. What researchers discovered is that by adding the Unicode symbol U+D801, dot, space which is represented as “�” graphically, can be inserted into certain locations within the backend which induce long periods of silence despite the speaker still being active.
The researchers have further posted two videos showing how both Alexa and Google Home can be used for phishing personal data. Such an attack centers around telling the user that the app has failed to enter the � character which induces a long pause, in an attempt to imitate an error. The app will then prompt the user with a phishing message with the intent of getting personal data. The phishing message is phrased in such a way to make it appear that it has nothing to do with the previous app. Researchers presented an example involving a horoscope app that triggers the error but continues to remain active. The app then presents the phishing message asking the user to provide their password. The message itself is presented as if it was provided by either Amazon or Google.
The eavesdropping attack vector also works by abusing the � character. Again the researchers posted videos illustrating this attack vector for both Alexa and Google Home which showed that when the character sequence is used after receiving a command from the user. The sequence is used to keep the home speaker active and record the user’s conversations. These conversations are stored in logs that can be sent to the attacker’s command and control server to be reprocessed as audio. Researchers did note that the reason that these attacks are possible is because while both tech giants vet the apps before release, they do not vet subsequent updates. This means that the abuse of the flaw within the backend can only occur once an earlier, clean version of the app is released, with subsequent updates looking to insert the character sequence to abuse the flaw.
Past Security Concerns
As mentioned above this is not the first time security concerns have been brought to the attention of the tech giants. In April 2018 researchers discovered that Alexa could be used also for eavesdropping but in a different method to the way mentioned above. Again in May academics discovered other novels ways to exploit the hardware and software for malicious purposes. The academics described their research as geared towards,
“In our research, we analyzed the most popular VPA IoT systems – Alexa and Google Assistant, focusing on the third-party skills deployed to these devices for interacting with end-users over the voice channel. Our study demonstrates that through publishing malicious skills, it is completely feasible for an adversary to remotely attack the users of these popular systems, collecting their private information through their conversations with the systems. More specifically, we identified two threats never known before, called voice squatting attack (VSA) and voice masquerading attack (VMA). In a VSA, the adversary exploits how a skill is invoked (by a voice command), and the variations in the ways the command is spoken (e.g., phonetic differences caused by accent, courteous expression, etc.) to cause a VPA system to trigger a malicious skill instead of the one the user intends”
Then not long after in August of the same year academics investigated what they called skill squatting attacks which look to introduce errors within the natural language processing of the device to conduct malicious actions not intended by the user. Previous research showed flaws related to how a malicious actor could inject voice commands exploiting flaws rather than deliberately introducing errors into the language processing. Both Amazon and Google were quick to address the flaws researchers and academics and make changes to their devices to prevent the exploitation by malicious actors.
In response to the latest vulnerabilities both Amazon and Google told ZDNet that they have already taken measures to mitigate the threat discovered SR Labs. A Google spokesperson reiterated,
“All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future.”
Both Amazon and Google were quick to remind owners of their devices that the device will never ask for a user’s password. Further, they advise that users should never give passwords and other personal data when asked.