Smart speakers like an Amazon Echo or Google Home exist to listen for your voice and provide feedback. This functionality is amazing for users, and a nightmare for any security professional. That's why so much time and effort is spent by those security researchers and professionals into poking holes into these smart speakers' armor, so they can pass along these vulnerabilities to the companies that make the products and get them patched as soon as possible.
And researchers from SRLabs have shared a pretty peculiar little hack with ZDNet that uses a special character to keep microphones on when you think they are off.
Researchers are constantly looking at ways to hack home assistants. That's a good thing.
These special characters can be used by third-party developers inside Alexa or Google Assistant apps or "skills". When the software that powers these devices encounters the odd character, they insert a long pause where the unit is silent but still listening. In other words, you may assume the speaker is no longer listening but it very much is.
And of course, there are ways that this can be used for all sorts of trickery, like stealing your passwords or just listening to you talk to someone else in the room.
The hardware features that allow you to know the device is listening aren't being bypassed in any way. You can see in the video above that the Echo's light ring is on the entire time. But not everyone is going to notice this or even know what it means — they would just know that Alexa or Assistant is done talking and assume everything is finished. While the videos show the exploit in action on Amazon devices, Google Home products do exactly the same thing and keep listening in the same way.
This seems like a good reason to toss your home assistant products in the trash, but don't stand up just yet: these third-party apps aren't going to be something you can easily install, mainly because both Google and Amazon have extensive checks before an application is approved for their assistant platforms. The hacks themselves are pretty severe, but the distribution chance is very low.
What should I do?
Don't panic. While there is absolutely no reason that the software driving a Google Home or Amazon Echo should act this way when it encounters the special character in question — especially since SRLabs has notified both companies months ago — you're not going to install something that can use it unless you act as a developer and load your own applications. If you only install approved software from Amazon or Google, you're installing something that has been checked to make sure this isn't happening.
Checking to make sure this exploit isn't in any published apps is OK, but fixing the exploit would be better.
That's not a great response from either company. A fix that can shunt this behavior or stop it from happening in the first place is the real fix, not relying on manual inspection of applications before they are published. There is no reason why both safeguards are not in place and I expect better from both companies. So should you. But knowing how this hack operates and that someone at Amazon and Google is checking to make sure it doesn't appear in your favorite news app or agenda tracker is better than nothing.
Chances are that this bit of unwanted publicity will cause both Amazon and Google to fix the flaw the right way, so there's that. Here's hoping it happens sooner rather than later.
Nicely done, Nest
Improved assistant and better bass
There isn't much room in such a small device for large improvements, but somehow Nest pulled it off. 2 X better bass and more on-device smarts make this a smart buy.
Easy Amazon accessory
An inexpensive entry into Alexa's world
The Echo Dot (3rd Gen) has a familiar design and decent speakers for the size of the device and comes in at an extremely affordable price point.
We may earn a commission for purchases using our links. Learn more.
The excellent Nest Audio is down to its lowest price yet for Black Friday
Ready to upgrade your smart home? The Nest Audio is getting its first price cut thanks to Black Friday, bringing it down to the lowest price we've ever seen.
What advice do you have for a first-time Galaxy Note buyer?
Buying a Galaxy Note is a big deal. If you knew someone getting their first-ever Note, what advice would you give to them?
Samsung just gave a huge hint that it's ending the Galaxy Note line
According to a report out of South Korea, Samsung has confirmed plans of discontinuing the Galaxy Note series. It has also confirmed S Pen support for the Galaxy S21 Ultra and Galaxy Z Fold 3.
These Zigbee-compatible Echo accessories will smarten up your home
The new Amazon Echo (4th Gen) 2020 is a Zigbee-compatible hub, enabling it to control a few dozen smart locks, switches, light bulbs, sensors and plugs. Out of 64 devices of various quality, only a handful of them are worth buying and pairing with your new smart speaker.