Your Amazon or Google speaker could be spying on you, but it probably isn't

Smart speakers like an Amazon Echo or Google Home exist to listen for your voice and provide feedback. This functionality is amazing for users, and a nightmare for any security professional. That's why so much time and effort is spent by those security researchers and professionals into poking holes into these smart speakers' armor, so they can pass along these vulnerabilities to the companies that make the products and get them patched as soon as possible.

And researchers from SRLabs have shared a pretty peculiar little hack with ZDNet that uses a special character to keep microphones on when you think they are off.

Researchers are constantly looking at ways to hack home assistants. That's a good thing.

These special characters can be used by third-party developers inside Alexa or Google Assistant apps or "skills". When the software that powers these devices encounters the odd character, they insert a long pause where the unit is silent but still listening. In other words, you may assume the speaker is no longer listening but it very much is.

And of course, there are ways that this can be used for all sorts of trickery, like stealing your passwords or just listening to you talk to someone else in the room.

The hardware features that allow you to know the device is listening aren't being bypassed in any way. You can see in the video above that the Echo's light ring is on the entire time. But not everyone is going to notice this or even know what it means — they would just know that Alexa or Assistant is done talking and assume everything is finished. While the videos show the exploit in action on Amazon devices, Google Home products do exactly the same thing and keep listening in the same way.

This seems like a good reason to toss your home assistant products in the trash, but don't stand up just yet: these third-party apps aren't going to be something you can easily install, mainly because both Google and Amazon have extensive checks before an application is approved for their assistant platforms. The hacks themselves are pretty severe, but the distribution chance is very low.

What should I do?

Don't panic. While there is absolutely no reason that the software driving a Google Home or Amazon Echo should act this way when it encounters the special character in question — especially since SRLabs has notified both companies months ago — you're not going to install something that can use it unless you act as a developer and load your own applications. If you only install approved software from Amazon or Google, you're installing something that has been checked to make sure this isn't happening.

Checking to make sure this exploit isn't in any published apps is OK, but fixing the exploit would be better.

That's not a great response from either company. A fix that can shunt this behavior or stop it from happening in the first place is the real fix, not relying on manual inspection of applications before they are published. There is no reason why both safeguards are not in place and I expect better from both companies. So should you. But knowing how this hack operates and that someone at Amazon and Google is checking to make sure it doesn't appear in your favorite news app or agenda tracker is better than nothing.

Chances are that this bit of unwanted publicity will cause both Amazon and Google to fix the flaw the right way, so there's that. Here's hoping it happens sooner rather than later.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.