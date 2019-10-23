Researchers create apps that manipulate Alexa and Echo's vulnerabilities

PHOTO: Unsplash
Sharmila Nair
The Star/Asia News Network

An experiment by a group of cybersecurity consultants shows that Amazon and Google still have a long way to go to ensure the privacy and data protection of their users.

The consultants from Germany-based Security Research Labs managed to bypass the tech giants' reviews to publish eight voice apps with the ability to listen to people's conversations through Amazon's Echo and Google's Nest devices.

Cnet reports that the researchers developed horoscope apps that, when prompted, would respond with an error message. However, instead of ending the recording process, as would a legit app, the apps would continue to listen in the background.

The article states that the researchers simulated silence by inserting a special unicode character seqeunce "�" (U+D801, dot, space), which the devices cannot pronounce. The devices' text-to-speech AI will attempt to pronounce it anyway, during which it will cause a gap, subsequently tricking humans into thinking that the device was finished with the task when in fact, it is still listening and recording in the background.

The recording of the conversations were reportedly not just sent to Amazon and Google, but to the third-party researchers as well.

On top of that, the researchers also claim that they could use the apps to trick users into giving their passwords. For example, after the period of silence, the code could prompt the voice assistant to say "An important security update is available for your device. Please say 'start update' followed by your password."

Amazon, which has been alerted of this issue, said that it will now prevent its devices from asking users for their passwords, and reminds everyone that the company would not ask for anyone to share their private details via Echo.

Google also said in a statement: "We have review processes to detect the type of behaviour described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future."

The eight apps have since been removed.

