Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Alexa and Google Home spying apps easily made it through approval

A security research organization in Germany placed eight 'smart spies' in both the Amazon Alexa and Google Home app stores to demonstrate how easily eavesdropping and phishing can be done over smart speakers.

German organization Security Research Labs has demonstrated both that malicious apps can be created for Alexa and Google Home, and that they can pass security vetting. The company successfully created eight such apps that they called "Smart Spies." Each was designed to eavesdrop or phish, and each was then approved by Amazon and Google.

"It was always clear that those voice assistants have privacy implications— with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes," Fabian Braunlein, senior security consultant at SRLabs, told Ars Technica.

"We now show that, not only the manufacturers, but... also hackers can abuse those voice assistants to intrude on someone's privacy," he continued.

The Smart Spies skills on Alexa or actions on Google Home were all able to eavesdrop on users after they should have stopped listening. Some were phishing ones that told users there was an update and asked for passwords.

According to SRLabs documentation, the company relied on how certain elements of an Alexa voice skill can be changed after it has passed Amazon's review process.

It also took advantage of the ability for developers to insert very long pauses in the speech output of either Alexa skills or Google actions. This is achieved by asking either smart speaker to repeatedly say an unpronounceable series of ASCII or ISO codes.

This meant the voice apps would go silent and so appear to have ended, when in reality they were waiting up to a minute to ask phishing questions.

SRLabs disclosed the apps and its research to Amazon and Google, both of whom have now removed the apps. Both companies then responded to SRLabs with statements about preventing this being done again.

"This is no longer possible for skills being submitted for certification," said an Amazon spokesperson in a written statement to SRLabs. "We have put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified."

"All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies," said a Google spokesperson in a similar statement.

"We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers," continued Google's spokesperson. "We are putting additional mechanisms in place to prevent these issues from occurring in the future."

Ars Technica reports that Google is now reviewing all third-party Google Home actions.

SRLabs did not place any Smart Spies on Apple's HomePod, as this does not currently support third-party actions.

Previously, Amazon has been reported to use thousands of workers to monitor recordings of spoken commands issued to the company's smart speakers and other devices. Google has done the same, and so has Apple.



13 Comments

ihatescreennames 19 Years · 1977 comments

Do we know if any of these Skills or Actions were installed and used by unsuspecting people?

rob bonner 12 Years · 237 comments

Do we know if any of these Skills or Actions were installed and used by unsuspecting people?

It's going to be hard to isolate whether the people were unsuspecting or not.

rotateleftbyte 12 Years · 1630 comments

Perhaps.... thy were removed because they interfered with the resident spyware on the devices?
No matter. None of this [redacted] [redacted] stuff will get past my front door (or back door for that matter). This also includes Homepod. I've managed for 66 years without this stuff and I can manage a few more thanks.

Wgkrueger 8 Years · 352 comments

The strong response from Google and Amazon is “we removed the apps”. The weaker response was “we told them not to do that and will remove their apps if they do”. 

Kuyangkoh 7 Years · 838 comments

Wgkrueger said:
The strong response from Google and Amazon is “we removed the apps”. The weaker response was “we told them not to do that and will remove their apps if they do”. 

They wouldn’t know if not told about it.....so we know how easy it is