Little Smart Speakers Have Big Ears, Pt. 1
Can smart speakers like Amazon Echo, Google Home and Apple HomePod be hacked? It’s a question worth asking since over 39 million Americans own a smart speaker. The answer is a definite yes—smart speakers join the ranks of PCs, laptops, and other devices vulnerable to malicious spyware attacks.
The good news is you can take steps to protect your information and your privacy.
How It’s Done
The types of breaches vary. For example, researchers at the research firm Security Research Labs (SRL) were able to upload a malicious piece of software disguised as a genuine Alexa or Google demand. They then collected personal data, such as passwords from users, and they were able to eavesdrop on users after they thought the smart speaker was turned off. Other researchers think it’s possible for hackers to send a sound or signal — one your smart speaker might interpret as a command — to control your device.
This malicious software is installed via third party apps you upload to your device. "Consumers need to be aware that they are sending data to third parties when using voice apps," explains Security Research Labs (SRL) researcher Karsten Nohl. "These apps do not need to be installed on the device, but instead are invoked through phrases that the app developer chooses."
Third-party software for either smart speaker has to be vetted and approved by Google or Amazon before it can be used with their smart speakers. However, ZDNet notes that the companies don’t check updates to existing apps. This allows hackers to sneak malicious code into software updates and gain access to smart speaker user information.
Both Apple and Google are taking security very seriously and Amazon said it has put new mitigations in place to prevent and detect skills from being able to do this kind of thing in the future. It said that it takes down skills whenever this kind of behavior is identified. Google says it has review processes to detect this kind of behavior, and has and has temporarily disabled some actions while this is taking place.
Stay tuned. In the next post here at OZone, we’ll give you some tips on how to protect your privacy and your information.