Fresh Google Assistant, Amazon Alexa vulnerabilities exposed for allowing eavesdropping, phishing

By Digit NewsDesk | Published on Oct 23 2019
Fresh Google Assistant, Amazon Alexa vulnerabilities exposed for allowing eavesdropping, phishing

Make your home smarter than the average home

Make your life smarter, simpler, and more convenient with IoT enabled TVs, speakers, fans, bulbs, locks and more.

Click here to know more

HIGHLIGHTS

Security researchers expose new vulnerabilities with Google Assistant, Amazon Alexa

They allow attackers to eavesdrop on your commands, pose as the service provider

Virtual assistant services have been called out in the past for weak links in their security and privacy policies. In May this year, Amazon was found retaining copies of users’ transcripts in its servers even after users deleted their interactions with Alexa. Now, however, a new report from Security Research Labs suggests that Google Assistant and Amazon Alexa possess vulnerabilities that can potentially allow online attackers to eavesdrop on the user and pose as the service provider (phishing as Google or Amazon). The vulnerabilities are detailed in a long article and explained in brief in a few short videos.

According to the two videos that talk about eavesdropping, one of the vulnerabilities opens the door for online attackers to listen in on the user after they have finished giving a command. Apparently, the vulnerability could give an attacker up to thirty seconds to eavesdrop on the user after the command is received. During this period, the user is unaware that the device is still listening to them. Any words uttered by the user during this period could be used against them without their knowledge in the future.

The two videos that cover the phishing vulnerability suggest an even more dangerous scenario where the user unknowingly discloses their password to the attacker. We see in the videos that the vulnerability, when exploited, informs the user that the device has a software update ready but needs the user’s account password to proceed. The device then listens for the user’s password and transmits it to the attacker, which could then be a key to the user’s credit card information.

While both vulnerabilities seem complicated to exploit, it’s not impossible for an attacker to get a smart speaker or smart display to ask for the user’s password. With the account password, it’s easy to obtain information like the user’s home and work address. The videos posted by Security Research Labs act as a reminder for all of us to never share one’s account password with anyone or anything, including the device itself. Google Assistant or Amazon Alexa will never ask its users to speak their account password openly.

logo
Digit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.

We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.