INSUBCONTINENT EXCLUSIVE:
Image copyrightGetty ImagesImage caption
The smart speakers continued listening after users commanded the apps stop
Amazon Echo and Google Home speakers have been compromised by apps modified to spy on users after being approved by the
Berlin-based Security Research Labs (SRL) built the eight "smart spies", which were promoted as a way to deliver horoscopes and generate
random numbers.Once approved, the researchers updated the Echo Skills and Home Actions to eavesdrop and steal passwords.They then alerted
the US companies, which blocked the software."Smart spies undermine the assumption that voice apps are only active as long as they are in
dialogue with the user," Karsten Nohl, SRL's chief scientist, told TheIndianSubcontinent News.Image Copyright SRLabsSRLabsCreating them
had been a fairly easy process that required relatively little programming experience, he said
They were activated when a user said something like: "Alexa, turn on my horoscopes," or: "OK Google, ask My Lucky Horoscope to give me the
horoscope for Taurus."When the user tried to turn off the app, they heard a "Goodbye" message but the software carried on running for
several more seconds rather than deactivating immediately.If, in that time, the person said a phrase including the word "I" or other chosen
terms, their speech was transcribed and sent back to SRL.One giveaway something was not right was the smart-speaker light remained turned
on, indicating it was still listening, according to Mr Nohl.And, he suggested, this should be something smart-speaker owners kept an eye
on.A variation of the attack involved the app saying: "An important security update is available for your device
Please say, 'Start update,' followed by your password."Anything the user said after the word "Start" was then sent back to the
developer."Users should be very suspicious when any smart speaker asks for a password, which no regular app is supposed to do," Mr Nohl
added.David Emm, a security analyst at Kaspersky Lab, said people needed to remember some of the apps offered for Amazon Echo and Google
Home devices were made by third parties."We all need to aware of the capabilities of these devices," he said."They're 's mart listeners',
Their capabilities extend to apps that we use with them."Google said it had removed SRL's Actions
"We are putting additional mechanisms in place to prevent these issues from occurring in the future," the company added
Amazon said: "Customer trust is important to us and we conduct security reviews as part of the skill certification process
"We quickly blocked the Skill in question and put mitigations in place to prevent and detect this type of Skill behaviour and reject or take
them down when identified."
