How voice assistants can be used to phish passwords

We have seen a wealth of articles on the security and privacy issues around voice assistants. This week I came across and new and far more concerning article on this by Ars Technica: “Amazon- and Google-approved apps turned both voice-controlled devices into “smart spies”.

“By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.

Now, there’s a new concern: malicious apps developed by third parties and hosted by Amazon or Google. The threat isn’t just theoretical. Whitehat hackers at Germany’s Security Research Labs developed eight apps—four Alexa “skills” and four Google Home “actions”—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these “smart spies,” as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords”.

Behind the scenes they phished for their users’ passwords

We all knew that there were some big questions concerning the privacy implications of voice assistants. A common phrase I would come across was “I don’t mind Google or Amazon having my data”. Perhaps that is how you feel but when attackers can now abuse these voice assistants and compromise your privacy things become much more concerning.

“The malicious apps had different names and slightly different ways of working, but they all followed similar flows”.

When a user would ask for their Horoscope the eavesdropping apps gave a response and then fell silent whilst secretly logging the conversations that were in earshot of the device. The phishing apps worked in a similar way but they responded with “an error message that claims the skill or action isn’t available in that user’s country. They then go silent to give the impression the app is no longer running. After about a minute, the apps use a voice that mimics the ones used by Alexa and Google home to falsely claim a device update is available and prompts the user for a password for it to be installed”.

A really great article by Ars Technica. Read the full article and watch the videos here: https://arstechnica.com/information-technology/2019/10/alexa-and-google-home-abused-to-eavesdrop-and-phish-passwords/

Related Posts

The 5 Best Ways to Spot TV Licence Phishing Emails

The 5 Best Ways to Spot TV Licence Phishing Emails

TV Licence Phishing Emails In the UK a licence is required to watch live TV in the home. With lockdown continuing and people’s reliance on entertainment increasing, It is unsurprising that in the UK, criminals have increased the amount of tv licence phishing emails...

What is Vishing?

What is Vishing?

What is vishing? How to How to defend your organisation against telephone-based vishing scams

Online Radicalisation and Social Engineering

Online Radicalisation and Social Engineering

Online radicalisation and social engineering There has been a lot of media coverage here in the UK about a young woman who previously left the UK as a teenager to go to Syria and join Islamic State. She has recently expressed her desire to return to the UK, causing...