Are Smart Home Devices Stealing Passwords?

By:  |  Category: Blog Friday, October 25th, 2019  |  No Comments
Stealing passwords

“Hey Alexa.” Ok Google, are you listening?

*Crickets chirp in the silence* Absolutely they are.

While it may seem like the game of rock paper scissors you just played with Alexa is finished (apparently she plays), there could still be someone listening in through your Amazon Alexa or Google Smart Home device.

Aren’t privacy concerns already an issue with smart assistants? Again, absolutely they are. Recently however, it may be more than just the employees of these companies who are listening in.

Security Research Labs announced, after creating downloadable voice applications for both smart assistants, that the new apps “could listen in on people’s conversations.”

Here’s the kicker, “All of the apps passed through the companies’ reviews for third-party apps”.

Security Research Labs speculated there might be a way to sneak malicious voice apps into the stores that would then be available to Google Nest and Amazon Echo users. Eight of them were created, and all eight of them passed through the vetting process to be released to public consumers.

If a research organization could do it, surely someone with far more to gain (a financial information for example) could create and sneak in malicious applications.

How do these apps work?

Per the security researchers, the eavesdropping applications take advantage of the *cricket… cricket* silence. For example, a horoscope app was created, then when downloaded and asked a question it would respond with an error message. Instead of ending the recording when the error was finished like normal, the app kept listening in the background.

 “�. ” (U+D801, dot, space). That is the code that developers added in the application to simulate silence. The code cannot be pronounced, but it’s processed by the device which enables the gap to continue listening even when the “conversation” is over. 

A video example is listed below where the recorded conversation was sent to “third-party developers,” not just Amazon and Google servers.

Another video example is listed below where these malicious apps are used into tricking users to divulge their passwords, “An important security update is available for your device. Please say ‘start update’ followed by your password.”  

Our advice? Be weary of any application you download, either on your phone, desktop, or smart home device. If you do update your password, always use the official website and ensure you enable two-factor-authentication for a successful password change.

If you need assistance with IT Managed Services or Security Services give EnhancedTECH a call at 714-970-9330 or reach us at [email protected]

–Emmy Siegler



Image Source: https://www.canva.com/design/DADjaeyLph4/DKcqF412wM95XiLPA6-oiQ/edit#

Leave a Comment
Read previous post:
Stolen Staff Data Could be Your Biggest Security Risk

Your company was recently breached, but no customer information was stolen. Whew! That was a close call. Does it mean...