Amazon.com, Inc. (NASDAQ:AMZN) ‘s Alexa, and Alphabet Inc (NASDAQ:GOOGL) ‘s Home Devices are the targets for hackers to steal sensitive information without the knowledge of users. In April 2018, the security researchers detected eavesdropping vectors and phishing attacks on Amazon’s Alexa. They have also identified similar attacks on Google’s Home smart assistants and Alexa in April 2018 and August 2018. To thwart attempts of hackers, Google and Amazon have implemented security measures every time. However, hackers are finding new ways to exploit smart home devices.
Researchers detect the latest exploitation
After the detection of eavesdropping and phishing attacks earlier this year by Security Research Labs researchers – Fabian Braunlein and Luise Frerichs, the new attacks are revealed today. Hackers are using the backend, which is made available to the developers of custom home apps of Google and Alexa, to exploit eavesdropping and phishing vectors. The developers get access to the functions via backend for customizing the commands to control smart home devices. They will get replies from the smart home devices based on their commands.
The security researchers demonstrated how Google Home smart speakers could be commanded to record users without their knowledge. They have informed both Amazon and Google about vulnerabilities in their smart home devices before disclosing to the public.
Hackers keep devices in silent mode
Hackers send a series of commands to drive the device into a silent mode but stay in active mode. They will send a message to the user that the app is failed and instructs to insert ‘?’ to make a long pause. A phishing message is then passed on to the device, the user believes that it is nothing to do with functioning of the device. They will trick the user into revealing the password of their devices as if the message comes from Amazon or Google. Hackers also use ‘?’ for eavesdropping attacks.
Awareness to users of Google home devices
Google warns its home assistant users that the smart home devices will never ask for the password. The staff at Google is reviewing the third-party app’s actions. Amazon also told the same thing to its Alexa users.