A team of security researchers at SRLabs in Berlin have recently discovered several vulnerabilities within voice controlled smart devices such as Google Home & Amazon Alexa. These vulnerabilities can allow an attacker to eavesdrop via the victim device.
Researchers have discovered that some applications process user requests as normal but will then continue to listen for a longer period than necessary and even after the user has issued a command for the device to stop its current action.
While there are security measures in place to prevent malicious third-party applications from being uploaded to Google/Amazon app stores, checks are not so thorough on updates to existing applications due to the resources required to do so. By abusing this knowledge, an attacker can sneak their own code into the update of an already approved application so that they have a backdoor into the devices of users who have installed the update.
Once the attacker has a connection, they can query the device with characters that it cannot pronounce, by doing so the device will remain silent but continue listening for further commands for a short period of time. During this period all captured audio will be transcribed and sent to the attacker. This process can be repeated at well-timed intervals to allow the attacker to eavesdrop for as long as they want. This vulnerability can also allow for fake commands to be issued to the user via the device, for example an attacker could tell the device to ask the user for login credentials to re-authenticate their device to the Google/Amazon services, in attempt to harvest that user’s credentials.
These vulnerabilities are currently under investigation but in the meantime, any known apps or features that have exhibited this unusual post-command listening behaviour have been disabled until the issue has been resolved.