Smart speakers have been hit with several scandals over privacy and user protections this year, and now there’s a new, even riskier one unfolding. Whitehat hackers based in Germany developed eight apps for smart speakers that were able to eavesdrop on users and phish their passwords.
The four Alexa skills and four Google Home actions successfully passed the tech companies’ security examinations. While they were available to consumers, these apps, which mostly promised simple software such as a horoscope checker, either conducted eavesdropping or phishing attacks. The phishing apps gave users false error messages, then use a voice that imitates the ones used by the device to ask for the individual’s password to continue.
The apps were created by Security Research Labs, which has since removed the apps after privately giving their results to Amazon and Google.
“It was always clear that those voice assistants have privacy implications—with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes,” Fabian Bräunlein, senior security consultant at SRLabs, told Ars Technica. “We now show that, not only the manufacturers, but… also hackers can abuse those voice assistants to intrude on someone’s privacy.”