Amazon and Google smart speakers steal passwords for hackers HomePod users needn't worry

22. 10. 2019

Not so long ago, there was a scandal on the Internet about the eavesdropping of users. Smart speakers from Amazon and Google played a leading role. Now it turns out that many third-party apps can do even more.

Smart speakers from Amazon and Google are different from Apple HomePod once essential function. They allow third-party applications to use the device's hardware. The software engineers of both companies thus wage an endless battle with hackers, who are always one step ahead.

Security experts shared with the ZDNet server about their findings. The entire attack on the user consists in using a simple loophole in the operation of the operating system of the speaker with a built-in microphone.

This is because third-party applications have the ability to access the speaker's microphone only for a limited time limit. However, there is an option to extend this time in the event that it was not possible to understand the user's command. And this is exactly the path that hackers use.

A connection error occurred. Please enter your Google Account password

The standard behavior of the application roughly corresponds to the following situation:

I ask Alexa to add items to my app shopping cart from a chain store. The application checks the order history to compare the parameters of the goods and then asks me for confirmation. At the same time, it activates the microphone and waits for a yes or no answer. If I don't answer, the microphone turns off after a few seconds.

However, there is a way to bypass the microphone mute. This can be achieved with a special text string "�. ” written into the application code. This can easily increase the microphone activation time from a few seconds to much longer. The application can thus eavesdrop on the user all the time.

The second option is even more insidious. The string can be used and set even for the processing of an audio instruction. Subsequently, the application can be forced to ask for a password to, for example, an Amazon or Google account. The videos below clearly show the entire process.

Meanwhile, Apple does not allow third-party apps to access the HomePod's microphone directly, and probably never will to the same extent as Amazon and Google. All developers must use a special API that handles voice. Its users are safe for now.

Topics: hacker, Amazon, microphone, Google, video lesson, function, user, Application, Apple Lossless Audio CODEC (ALAC),

Discussion of the article

Your name

Your comment

By filling in the above data, I acknowledge that the company TEXT FACTORY s.r.o., registered office in Brno, Durďákova 336/29, Černá Pole, ZIP code: 613 00, ID number: 06157831, registered at the Regional Court in Brno, section C, insert 100399, will process my personal data provided in the registration form filled out by me on the basis of the legitimate interests of TEXT FACTORY s.r.o. according to Article 6 paragraph 1 letter f) GDPR and to fulfill legal obligations (Article 6, paragraph 1, letter c) GDPR), for the following purposes: the necessity to ensure the authorization of visitors to websites operated by TEXT FACTORY s.r.o. to actively contribute to published articles or within discussion forums and exercising the rights of TEXT FACTORY s.r.o. as the administrator of these discussion forums. More information about the processing of personal data and rights can be found in Lessons on personal data protection. the entire text

A connection error occurred. Please enter your Google Account password

It could be interest you

Related