Your Smart Speaker’s Skills Can Be a Major Privacy Issue

Smart column Amazon and Google allow complement sort of extension, in the same way as you install a third-party add-ons to make your web browsing even better . Here’s what’s interesting: As with browser add-ons, you’re completely dependent on the developer. And if they use their powers for evil, you can convey whatever you say to your device, to some random person.

At least this is a scenario presented by the German Security Research Lab (SRLabs), which has created a series of bogus skills (Amazon) and Actions (Google) that have been verified by both companies and have actually been listed to download to your Echo or Google Home devices. … Trick? As Ars Technica describes:

“The malicious apps had different names and slightly different ways of working, but they all followed a similar pattern. The user could say something like “Hi Alexa, ask my lucky horoscope for a Taurus horoscope” or “Ok Google, ask my lucky horoscope for a Taurus horoscope”. The listening apps responded with the requested information, while the phishing apps issued a fake error message. Applications then had the impression that they were no longer working when they were virtually silently waiting for the next phase of the attack.

In fact, security researchers developed two types of applications – one for eavesdropping and one for phishing – that worked the same way. In the first case, the application will simply do what you tell it, but will not stop recording your voice; in the latter case, the application will pretend to complete the task, wait a little, and then give you a fake message that your device has been updated and you need to provide your password to complete the update. And any password you then provided was shuffled to the developer’s servers.

Both Amazon and Google have since canceled offensive skills / activities – after being notified of their existence by SRLab – and are working on additional “mechanisms” and “mitigations” to ensure that such exploits do not spread to other skills and actions. Here are excerpts from the statements they provided to Ars Technica:


“Customer confidence is important to us and we conduct security audits as part of the skills certification process. We quickly blocked the skill in question and took action to prevent and detect this type of skill behavior and rejected or removed it when detected. “


“All activity on Google must comply with our developer policies, and we prohibit and remove any activity that violates those policies. We have validation processes to determine the type of behavior described in this report, and we removed the actions we found in these researchers. We are introducing additional mechanisms to prevent these problems from occurring in the future. ”

Be careful when loading skills

That’s the problem. People will always look for new ways to steal your data. Amazon and Google are smart, but not perfect. Going forward, you should treat smart speaker skills as if they were just as important as browser extensions, if not more. This means you don’t have to install skills or activities that seem neat, but come from a third party or independent developer that you’ve never heard of. And if you absolutely can’t live without a dedicated add-on for your device, at least show your diligence: has anyone else used this add-on? Does the reviews seem credible and free of spam? Is this supplement absolutely essential for day to day activities, or is it just some fun quirky thing that you use a few times and forget?

And when you’ve installed the add-ons for your smart speakers, make sure you test your device to see if it stays on and record when the add-on quits, which you asked for. If so, stop it and remove the add-on, because this is not a good practice. Likewise, be careful when your devices unexpectedly ask you to do something, especially when it happens shortly after you’ve used a certain skill. I’m not Sherlock, but it’s an awfully strange coincidence if your smart speaker suddenly wants you to confirm your password, especially if it has never asked you to do so before, right after you use the new add-on you just downloaded. Maybe … don’t do this. (And remove the add-on.)

Or don’t download at all

I realize this sounds a little paranoid, but I would just go ahead and not use any of these additional skills, actions, add-ons, or what you want to call your smart speaker. These always-on devices – or at least devices that can record what you say – open up entirely new ways of using your privacy, and I’m still convinced that neither add-ons, nor even some hilarious prankster or an amazing horoscope of action, well worth the risk. Your smart speakers are smart enough. If you don’t completely trust what you add to them, then you don’t need the extra hassle (or worry).


Leave a Reply