{"id":29810,"date":"2019-10-20T19:00:05","date_gmt":"2019-10-20T19:00:05","guid":{"rendered":"http:\/\/e0469a02-3c84-46a2-a87a-febddcd6235c"},"modified":"2019-10-20T19:00:05","modified_gmt":"2019-10-20T19:00:05","slug":"alexa-and-google-home-devices-leveraged-to-phish-and-eavesdrop-on-users-again","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/alexa-and-google-home-devices-leveraged-to-phish-and-eavesdrop-on-users-again\/","title":{"rendered":"Alexa and Google Home devices leveraged to phish and eavesdrop on users, again"},"content":{"rendered":"

\"alexa-speaker.jpg\"<\/span><\/p>\n

Hackers can abuse Amazon Alexa and Google Home smart assistants to eavesdrop on user conversations without users’ knowledge, or trick users into handing over sensitive information.<\/p>\n

The attacks aren’t technically new. Security researchers have previously found similar phishing and eavesdropping vectors impacting Amazon Alexa in April 2018<\/a>; Alexa and Google Home devices in May 2018<\/a>; and again Alexa devices in August 2018<\/a>.<\/p>\n

Both Amazon and Google have deployed countermeasures every time, yet newer ways to exploit smart assistants have continued to surface.<\/p>\n

The latest ones were disclosed today, after being identified earlier this year by Luise Frerichs and Fabian Br\u00e4unlein, two security researchers at Security Research Labs (SRLabs), who shared their findings<\/a> with ZDNet last week.<\/p>\n

Both the phishing and eavesdropping vectors are exploitable via the backend that Amazon and Google provide to developers of Alexa or Google Home custom apps.<\/p>\n

These backends provide access to functions that developers can use to customize the commands to which a smart assistant responds, and the way the assistant replies.<\/p>\n

The SRLabs team discovered that by adding the “\ufffd. ” (U+D801, dot, space) character sequence to various locations inside the backend of a normal Alexa\/Google Home app, they could induce long periods of silence during which the assistant remains active.<\/p>\n

Phishing personal data<\/h3>\n
\n<\/section>\n

The two demos embedded below show how an attacker could carry out a phishing attack on both devices.<\/p>\n

The idea is to tell the user that an app has failed, insert the “\ufffd. ” to induce a long pause, and then prompt the user with the phishing message after a few minutes, tricking the target into believing the phishing message has nothing to do with the previous app with which they just interacted.<\/p>\n

For example, in the videos below, a horoscope app triggers an error, but then remains active, and eventually asks the user for their Amazon\/Google password while faking an update message from Amazon\/Google itself.<\/p>\n

Notice in the first video how Alexa’s blue status light remains active and never shuts off, a clear indicator that the previous app is still active and busy interpreting a long seriesof “\ufffd. ” character sequences.<\/p>\n

\n