Skip to main content

Don’t be fooled if your smart speaker asks for your password

Your smart speakers could be listening for way more than you want them to. Recently, Security Research Labs (SRLabs), a hacking research group and think tank based in Germany, released a report on their findings that Alexa and Google Home expose users to phishing and eavesdropping due to third-party skills and apps. The labs found two possible scenarios that can be played out on both Amazon Alexa and Google Home where a hacker can listen to your interactions with your smart speaker and phish for sensitive information. They dubbed the vulnerabilities Smart Spies, recorded their results, and put them in four videos to explain how they work.

Basically, a hacker can make a third-party app that can trick users into giving away certain information or keep listening after ending a task with the user, using the speaker’s built-in voice command system. In their tests, using these vulnerabilities, SRLabs was able to request and collect personal data, including user passwords, and eavesdrop on users.

Google smart speakers are particularly vulnerable to eavesdropping. One of the vulnerabilities involves recording people after the user thinks the smart speaker has stopped listening. With Alexa, certain trigger words must be said to start recording, but with Google, that’s not the case. As long as the device hears someone talking every 30 seconds, a hacker can keep the voice recording going, possibly infinitely.

Safety checks that are run by Amazon and Google are part of the problem that allows these vulnerabilities to exist. SRLabs also found that even if Google or Amazon reviews a third-party app or skill for safety and it passes, the app can be changed after the safety review to phish or eavesdrop on users.  Making these changes didn’t trigger another safety check from either Google or Amazon.

The best strategy to avoid hackers eavesdropping on your sensitive information? If an app or skill asks for a password, don’t answer. No trustworthy app or skill will ask you to say passwords. Most require you to go to the app and link your accounts, which is safer. Your smart speaker won’t ask you for passwords to perform system or account updates, either. In addition, don’t give your smart speaker your credit card information or other sensitive data. Avoid saying sensitive data out loud after recently using your smart speaker, too.

Editors' Recommendations

Alina Bradford
Alina Bradford has been a tech, lifestyle and science writer for more than 20 years. Her work is read by millions each month…
How to program your smart hub to scare the pants off of you
Govee Permanent Outdoor Lights strung up on a house at night for Halloween.

Halloween is just around the corner. Smart devices are getting more compatible than ever now that the Matter standard is rolling out, and there are new releases for everything from the latest Nest video doorbell to the new Echo Dot 5th-gen smart speaker. That makes it a great time to celebrate the season with a few spooky additions to your home.

Your smart hubs now have more options than ever, and we’ve got plenty of ideas to help you get started with your scares -- whether you want some mild spooks for the kids or plan to make your friends furiously terrified. Let’s get started!
Set your porch up for a maximum scare

Read more
5 Alexa skills and features your pet will love
The Bites 2 Lite device mounted on a wall.

Amazon Alexa isn't just a phenomenal voice assistant for the needs, wants, and personalized automations of human beings, but it is all that for our pets, too.

Would you believe us if we told you that you can use Alexa to play exclusively curated music for your dog, or that you can call up a virtual pet trainer in the event that your hound starts misbehaving? Well, guess what? You can! And the intuitive, interactive pet tech doesn't stop there.

Read more
This game lets hackers attack your PC, and you don’t even need to play it
Genshin Impact characters.

Hackers have been abusing the anti-cheat system in a massively popular game, and you don't even need to have it installed on your computer to be affected.

The game in question is called Genshin Impact, and according to a new report, hackers are able to utilize the game's anti-cheat measures in order to disable antivirus programs on the target machine. From there, they're free to conduct ransomware attacks and take control of the device.

Read more