Skip to Content
Computing

Smart speakers can be hijacked by apps that spy on users

October 21, 2019
An Amazon Echo smart speaker on a table
An Amazon Echo smart speaker on a table
An Amazon Echo smart speaker on a tableAssociated Press

Third-party apps hosted on Google and Amazon smart speakers could be secretly eavesdropping on users or phishing for their passwords, according to Security Research Labs, a hacking consultancy based in Germany.

How they know: The company created eight apps—four for Amazon Alexa and four for Google Home—that surreptitiously logged all conversations within earshot of the device they were installed on, and then sent a copy to a designated server. They mostly masqueraded as apps for checking horoscopes, according to Ars Technica. In the eavesdropping version, a user would ask the app to give them a horoscope. It would respond with the information requested and then go silent, giving the impression it was no longer running when in fact it was still recording. The phishing-style apps gave a fake error message and then asked for the user’s password. They all passed Google’s and Amazon’s security vetting procedures, although they have since been removed. The developers explained how the apps were created in a post, which you can read here.

The companies’ response: Both told Ars Technica they are changing their approval processes to stop their products from being hijacked this way. However, that they were ever approved in the first place is evidence that tech companies do not invest enough time or energy in vetting the apps they choose to host on their platforms.

Mounting concern: It’s widely known that smart speakers pose a privacy threat. Workers employed by the likes of Amazon, Google, and Apple routinely listen to clips from users’ devices, and the sounds recorded from smart speakers can be used in criminal trials (not that this has dented their popularity with the paying public).

Some context: This isn’t the first time hackers have shown that a smart speaker can be turned into a spying device. In a December 2018 presentation at DefCon,  a pair of researchers proved it’s possible if you can get the attack tool onto the same Wi-Fi network. But this latest attack shows that the privacy threat from smart speakers could come not only from the manufacturers, but from hackers too.

Sign up here for our daily newsletter The Download to get your dose of the latest must-read news from the world of emerging tech.

Deep Dive

Computing

Conceptual illustration of quantum computing circuity, in multiple colors
Conceptual illustration of quantum computing circuity, in multiple colors

Quantum computing has a hype problem

Quantum computing startups are all the rage, but it’s unclear if they’ll be able to produce anything of use in the near future.

winning team for Pwn2own 2022
winning team for Pwn2own 2022

These hackers showed just how easy it is to target critical infrastructure

Two Dutch researchers have won a major hacking championship by hitting the software that runs the world’s power grids, gas pipelines, and more. It was their easiest challenge yet.

child outside a destroyed residential building in Kiev
child outside a destroyed residential building in Kiev

Russia hacked an American satellite company one hour before the Ukraine invasion

The attack on Viasat showcases cyber’s emerging role in modern warfare.

A rescuers search for bodies under the rubble of a building destroyed by Russian shelling, amid Russia's Invasion of Ukraine, in Borodyanka, Kyiv region, Ukraine, April 11, 2022. (Photo by Sergii Kharchenko/NurPhoto via AP)
A rescuers search for bodies under the rubble of a building destroyed by Russian shelling, amid Russia's Invasion of Ukraine, in Borodyanka, Kyiv region, Ukraine, April 11, 2022. (Photo by Sergii Kharchenko/NurPhoto via AP)

Russian hackers tried to bring down Ukraine’s power grid to help the invasion

As Russia’s ground war stalls, hackers attempted to cause a blackout for two million people.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.