Smart speakers like an Amazon Echo or Google Home exist to listen for your voice and provide feedback. This functionality is amazing for users, and a nightmare for any security professional. That's why so much time and effort is spent by those security researchers and professionals into poking holes into these smart speakers' armor, so they can pass along these vulnerabilities to the companies that make the products and get them patched as soon as possible.
And researchers from SRLabs have shared a pretty peculiar little hack with ZDNet that uses a special character to keep microphones on when you think they are off.
Researchers are constantly looking at ways to hack home assistants. That's a good thing.
These special characters can be used by third-party developers inside Alexa or Google Assistant apps or "skills". When the software that powers these devices encounters the odd character, they insert a long pause where the unit is silent but still listening. In other words, you may assume the speaker is no longer listening but it very much is.
And of course, there are ways that this can be used for all sorts of trickery, like stealing your passwords or just listening to you talk to someone else in the room.
The hardware features that allow you to know the device is listening aren't being bypassed in any way. You can see in the video above that the Echo's light ring is on the entire time. But not everyone is going to notice this or even know what it means — they would just know that Alexa or Assistant is done talking and assume everything is finished. While the videos show the exploit in action on Amazon devices, Google Home products do exactly the same thing and keep listening in the same way.
This seems like a good reason to toss your home assistant products in the trash, but don't stand up just yet: these third-party apps aren't going to be something you can easily install, mainly because both Google and Amazon have extensive checks before an application is approved for their assistant platforms. The hacks themselves are pretty severe, but the distribution chance is very low.
What should I do?
Don't panic. While there is absolutely no reason that the software driving a Google Home or Amazon Echo should act this way when it encounters the special character in question — especially since SRLabs has notified both companies months ago — you're not going to install something that can use it unless you act as a developer and load your own applications. If you only install approved software from Amazon or Google, you're installing something that has been checked to make sure this isn't happening.
Checking to make sure this exploit isn't in any published apps is OK, but fixing the exploit would be better.
That's not a great response from either company. A fix that can shunt this behavior or stop it from happening in the first place is the real fix, not relying on manual inspection of applications before they are published. There is no reason why both safeguards are not in place and I expect better from both companies. So should you. But knowing how this hack operates and that someone at Amazon and Google is checking to make sure it doesn't appear in your favorite news app or agenda tracker is better than nothing.
Chances are that this bit of unwanted publicity will cause both Amazon and Google to fix the flaw the right way, so there's that. Here's hoping it happens sooner rather than later.
Improved assistant and better bass
There isn't much room in such a small device for large improvements, but somehow Nest pulled it off. 2 X better bass and more on-device smarts make this a smart buy.
An inexpensive entry into Alexa's world
The Echo Dot (3rd Gen) has a familiar design and decent speakers for the size of the device and comes in at an extremely affordable price point.
