Virtual assistant services have been called out in the past for weak links in their security and privacy policies. In May this year, Amazon was found retaining copies of users’ transcripts in its servers even after users deleted their interactions with Alexa. Now, however, a new report from Security Research Labs suggests that Google Assistant and Amazon Alexa possess vulnerabilities that can potentially allow online attackers to eavesdrop on the user and pose as the service provider (phishing as Google or Amazon). The vulnerabilities are detailed in a long article and explained in brief in a few short videos.
According to the two videos that talk about eavesdropping, one of the vulnerabilities opens the door for online attackers to listen in on the user after they have finished giving a command. Apparently, the vulnerability could give an attacker up to thirty seconds to eavesdrop on the user after the command is received. During this period, the user is unaware that the device is still listening to them. Any words uttered by the user during this period could be used against them without their knowledge in the future.
The two videos that cover the phishing vulnerability suggest an even more dangerous scenario where the user unknowingly discloses their password to the attacker. We see in the videos that the vulnerability, when exploited, informs the user that the device has a software update ready but needs the user’s account password to proceed. The device then listens for the user’s password and transmits it to the attacker, which could then be a key to the user’s credit card information.
While both vulnerabilities seem complicated to exploit, it’s not impossible for an attacker to get a smart speaker or smart display to ask for the user’s password. With the account password, it’s easy to obtain information like the user’s home and work address. The videos posted by Security Research Labs act as a reminder for all of us to never share one’s account password with anyone or anything, including the device itself. Google Assistant or Amazon Alexa will never ask its users to speak their account password openly.