Skip to Content
Computing

Smart speakers can be hijacked by apps that spy on users

October 21, 2019
An Amazon Echo smart speaker on a table
An Amazon Echo smart speaker on a tableAssociated Press

Third-party apps hosted on Google and Amazon smart speakers could be secretly eavesdropping on users or phishing for their passwords, according to Security Research Labs, a hacking consultancy based in Germany.

How they know: The company created eight apps—four for Amazon Alexa and four for Google Home—that surreptitiously logged all conversations within earshot of the device they were installed on, and then sent a copy to a designated server. They mostly masqueraded as apps for checking horoscopes, according to Ars Technica. In the eavesdropping version, a user would ask the app to give them a horoscope. It would respond with the information requested and then go silent, giving the impression it was no longer running when in fact it was still recording. The phishing-style apps gave a fake error message and then asked for the user’s password. They all passed Google’s and Amazon’s security vetting procedures, although they have since been removed. The developers explained how the apps were created in a post, which you can read here.

The companies’ response: Both told Ars Technica they are changing their approval processes to stop their products from being hijacked this way. However, that they were ever approved in the first place is evidence that tech companies do not invest enough time or energy in vetting the apps they choose to host on their platforms.

Mounting concern: It’s widely known that smart speakers pose a privacy threat. Workers employed by the likes of Amazon, Google, and Apple routinely listen to clips from users’ devices, and the sounds recorded from smart speakers can be used in criminal trials (not that this has dented their popularity with the paying public).

Some context: This isn’t the first time hackers have shown that a smart speaker can be turned into a spying device. In a December 2018 presentation at DefCon,  a pair of researchers proved it’s possible if you can get the attack tool onto the same Wi-Fi network. But this latest attack shows that the privacy threat from smart speakers could come not only from the manufacturers, but from hackers too.

Sign up here for our daily newsletter The Download to get your dose of the latest must-read news from the world of emerging tech.

Deep Dive

Computing

How a simple circuit could offer an alternative to energy-intensive GPUs

The creative new approach could lead to more energy-efficient machine-learning hardware.

Digital twins are helping scientists run the world’s most complex experiments

Engineers use the high-fidelity models to monitor operations, plan fixes, and troubleshoot problems.

How gamification took over the world

Gamification was always just behaviorism dressed up in pixels and point systems. Why did we fall for it?

It’s time to retire the term “user”

The proliferation of AI means we need a new word.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.