Skip to Content
Computing

Smart speakers can be hijacked by apps that spy on users

October 21, 2019
An Amazon Echo smart speaker on a table
An Amazon Echo smart speaker on a tableAssociated Press

Third-party apps hosted on Google and Amazon smart speakers could be secretly eavesdropping on users or phishing for their passwords, according to Security Research Labs, a hacking consultancy based in Germany.

How they know: The company created eight apps—four for Amazon Alexa and four for Google Home—that surreptitiously logged all conversations within earshot of the device they were installed on, and then sent a copy to a designated server. They mostly masqueraded as apps for checking horoscopes, according to Ars Technica. In the eavesdropping version, a user would ask the app to give them a horoscope. It would respond with the information requested and then go silent, giving the impression it was no longer running when in fact it was still recording. The phishing-style apps gave a fake error message and then asked for the user’s password. They all passed Google’s and Amazon’s security vetting procedures, although they have since been removed. The developers explained how the apps were created in a post, which you can read here.

The companies’ response: Both told Ars Technica they are changing their approval processes to stop their products from being hijacked this way. However, that they were ever approved in the first place is evidence that tech companies do not invest enough time or energy in vetting the apps they choose to host on their platforms.

Mounting concern: It’s widely known that smart speakers pose a privacy threat. Workers employed by the likes of Amazon, Google, and Apple routinely listen to clips from users’ devices, and the sounds recorded from smart speakers can be used in criminal trials (not that this has dented their popularity with the paying public).

Some context: This isn’t the first time hackers have shown that a smart speaker can be turned into a spying device. In a December 2018 presentation at DefCon,  a pair of researchers proved it’s possible if you can get the attack tool onto the same Wi-Fi network. But this latest attack shows that the privacy threat from smart speakers could come not only from the manufacturers, but from hackers too.

Sign up here for our daily newsletter The Download to get your dose of the latest must-read news from the world of emerging tech.

Deep Dive

Computing

Inside the hunt for new physics at the world’s largest particle collider

The Large Hadron Collider hasn’t seen any new particles since the discovery of the Higgs boson in 2012. Here’s what researchers are trying to do about it.

Why China is betting big on chiplets

By connecting several less-advanced chips into one, Chinese companies could circumvent the sanctions set by the US government.

How Wi-Fi sensing became usable tech

After a decade of obscurity, the technology is being used to track people’s movements.

VR headsets can be hacked with an Inception-style attack

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.