In order to fulfill the basic functions of our service, the user hereby agrees to allow Xiaomi to collect, process and use personal information which shall include but not be limited to written threads, pictures, comments, replies in the Mi Community, and relevant data types listed in Xiaomi's Private Policy. By selecting "Agree", you agree to Xiaomi's Private Policy and Content Policy .


[News] Alexa, Google Assistant Smart Speakers Can be Exploited for Phishing, Eavesdropping

2019-10-21 10:26:33
176 3

Hello MIUI'ers,

There has been a lot of debate lately regarding the privacy aspect when it comes to smart home devices, but it appears that the concerns are not unwarranted. Experts at Security Research Labs have uncovered vulnerabilities associated with Alexa and Google Assistant voice app backend systems that can be exploited to eavesdrop on users and for phishing out a password with ease. The security experts demonstrated the vulnerabilities in proof-of-concept videos and revealed how easy it is trick users into giving up sensitive information such as passwords and account details.

Security Research Labs explained in its report that malicious parties can use non-readable characters like a “�” in the code of voice apps for Amazon's Alexa assistant called Skills, or Actions in the case of Google Assistant. When such a character is encountered in the course of an ongoing interaction between users and the virtual assistant, it prompts a long pause, which tricks users into believing that the app has malfunctioned.

In such a scenario, users might think that the interaction has stopped and they need again to say a hotword like “Ok Google” or “Hey Alexa” to initiate an action. But in reality, the malicious party can use this pause to listen to whatever the user has said in the meanwhile, and can send the voice transcript of everything they said in a short duration to a dedicated server belonging to hackers.

Similarly, when the unreadable “�” character induces a short pause, say for 30 seconds to trick users into believing that something has malfunctioned, the malicious party can follow that up in their voice app with a code that reads a fake update message. In such cases, the false update voice prompt may ask users to say their password to install the update, and might also ask for more information such as the linked account. With this info, one can take control of an unsuspecting user's Amazon or Google account.

The eavesdropping and phishing vulnerabilities can be exploited via the backend that Google and Amazon provide to developers of Alexa skills and Google Assistant actions. And in the absence of stringent vetting protocols, malicious parties can gain access to functions that provide them access to critical commands and subsequently control how the virtual assistants behave. Security Research Labs reported the vulnerability to Google and Amazon months ago, but they are yet to be patched. Moreover, since Amazon and Google do not vet the code of app updates, malicious parties have a free hand here.

“All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behaviour described in this report, and we removed the Actions that we found from these researchers”, a Google spokesperson was quoted as saying by ZDNet regarding the issue, but Amazon is yet to issue a statement. Google also wants to spread awareness that the Google Assistant won't ask them for sensitive information such as a password via a voice skill, with the intention of keeping them aware of such deception.



Number of participants 1 Experience +1 Pack Reason

View Rating Log

2019-10-21 10:26:33
Favorites RateRate
2019-10-21 10:28:40

Rookie Bunny

Blancatencio | from Mi 9 SE


2019-10-21 14:06:38
2019-10-23 21:26:19
please sign in to reply.
Sign In Sign Up


News Reporter

  • Followers


  • Threads


  • Replies


  • Points


AP2 Livestream
2016 Diwali with Mi
Check-in 3 jours
Check-in 7 jours
Check-in 21 jours
Check-in 40 jours
Check-in 70 jours
Check-in 100 jours
Lucky Draw No.
500K Members
2016 Christmas
Mi Explorers
2016 #ThrowbackwithMiComm
Pokemon Go!
1st Anniversary
2 million registered members
Newbie Member
The Motivator
Go Bunny Master
Mi Love U & I
Bunny Winner
70K Mi Fans
100K Mi Fans
Selfie Day
Happy July
Mi 9T
Global Fans
MIUI 9th Birthday
Global Community
Mi A3
better together slogan
Global Community
games discuss
Mid-Autumn Festival

Read moreGet new
Copyright©2016-2019, All Rights Reserved
Content Policy
Quick Reply To Top Return to the list