Smart Device Apps May Be Eavesdropping, Phishing for Users’ Passwords

October 21st, 2019 2:35 PM

Americans seem to love Big Tech’s latest smart devices for their conveniences, but are Amazon- and Google-approved apps being used to eavesdrop and phish for your passwords?

Answer, at least, according to ARS Technica: “research suggests that possibility is by no means farfetched.” So, maybe.

News reports made it clear earlier this year that Big Tech is listening to you via Amazon Alexa and Google Assistant. Reports came out in April that full-time contract workers for Amazon have been listening to up to 1,000 audio clips, some lasting as long as nine hours. And in July, Dutch outlet VRT reported that Google has been keeping tabs on consumer conversations, using independent contractors to listen to audio recordings and transcribe them.

More recently, news reports showed that “Amazon Alexa Has ‘New Ways” to Detect, Listen for Things in Your Home.” Amazon Echo has teamed up with Alexa Guard to allow Alexa to “alert you to the sounds of activity when you’re not home” too, even integrating your daily routines and, yes, also acting as your live-in “doorbell concierge.”

Google’s CEO Sundar Pichai wrote an op-ed in The New York Times back on May 7, 2019 titled “Google’s Sundar Pichai: Privacy Should Not Be a Luxury Good” in what appears to have been an attempt to squash concerns about consumer privacy. Acknowledging that people “are rightly concerned about how their information is used and shared,” Pichai informed readers of Google’s latest privacy features, which include “one-click access to privacy settings,” “auto-delete controls” and also “two-factor authentification” for Android phones.

But “there’s a new concern,” warned ARS Technica in a recent piece. “Whitehat hackers at Germany's Security Research Labs [SRLabs] developed eight apps—four Alexa ‘skills’ and four Google Home ‘actions’—that all passed Amazon or Google security-vetting processes.”

These skills or actions reportedly posed as horoscope-checking apps, and one even “masqueraded as a random-number generator,” but “[b]ehind the scenes, these ‘smart spies,’ as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords.”

When prompted, the eavesdropping apps gave the expected responses, and then went silent only to quietly log all conversations within earshot of the device and send a copy to a developer-designated server.

The phishing apps followed a different track, instead responding with a fake error message suggesting the apps were unusable in the user’s country. The apps then went silent to give the impression they were no longer running. A while later, the apps falsely claimed a device update was available and prompted users to provide a password mimicking voice commands used by Alexa and Google Home.

“SRLabs privately reported the results of its research to Amazon and Google,” noted ARS Technica. “In response, both companies removed the apps and said they are changing their approval processes to prevent skills and actions from having similar capabilities in the future.”

But the success of SRLabs “raises serious concerns,” warned ARS Technica, and while “[t]here’s little or no evidence third-party apps are actively threatening Alexa and Google Home users now … SRLabs research suggests that possibility is by no means farfetched.”