Smart speakers from Amazon and Google home offer simple access to information through voice commands. The capability of the speakers can be extended by third-party developers through small apps. These smart speaker voice apps are called Skills for Alexa and Actions on Google Home. The apps currently create privacy issues: They can be abused to listen in on users or vish (voice-phish) their passwords.
As the functionality of smart speakers grows so too does the attack surface for hackers to exploit them? SRLabs research found two possible hacking scenarios that apply to both Amazon Alexa and Google Home. The flaws allow a hacker to phish for sensitive information and eavesdrop on users.
Both Alexa Skills and Google Home Actions are activated by the user calling out the invocation name chosen by the application developer. (“Alexa, turn on My Horoscopes.”) Users can then call functions (Intents) within the application by speaking specific phrases. (“Tell me my horoscope for today.”) These set phrases can include variable arguments given by the user as slot values. The input slots are converted to text and sent to the application backend, which are often operated outside the control of Amazon or Google.
To prevent ‘Smart Spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents.