Amazon Alexa and Google Home can be hacked to eavesdrop and steal passwords

Hackers are able to spy on Amazon Alexa and Google Home users by eavesdropping on their conversations, it has been revealed.

The troubling technical loophole also allows cyber-hackers to gain access to sensitive info by tricking them into hading over passwords in a "phishing" attack.

Online security experts claim these issues have persisted for at least a year and say millions of users smart assistants could be at risk due to the glitch.

The problem arises when users download custom apps which have back-end vulnerabilities that can be exploited by hackers, reports ZDNet .

By adding a single character to the back-end code of a normal Alexa or Google Home app, they can induce long periods of silence during which the assistant remains active.

This means it can record your conversations and then log them on an attacker's computer.

The rogue app could also create a phishing attack by demanding a password while faking as an update message from Amazon or Google.

Due to the long delay, users will not be aware the phishing message is from a rogue app they were using previously.

"A horoscope app triggers an error, but then remains active," researchers explain.

"And eventually asks the user for their Amazon/Google password while faking an update message from Amazon/Google itself."

"Customer trust is important to us, and we conduct security reviews as part of the skill certification process," an Amazon spokesperson said.

"We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behaviour and reject or take them down when identified."

Amazon confirmed this exploit no longer works on its own systems  – and stressed the blue ring visual indicator indicates that audio is still streaming.

Source: Read Full Article