Researchers expose how Amazon Echo and Google Home can steal passwords

Security researchers have revealed a new vulnerability in two popular smart speakers that could have allowed an attacker to eavesdrop on or phish users.

The discovery, made by German hacking research collective SRLabs, found that malicious code could be loaded onto both a Google Home device and Amazon Echo to listen in on users and demand their passwords.

To carry out the attack, SRLabs developed an Alexa skill disguised as a horoscope tool and a Google action that claimed to be a random number generator.

When a user would ask the Google Home for a random number, for example, the device would comply and then play a fake sound that mimics the sound used to indicate that the action has ended. In reality, the device continues to listen to the user and sends a transcript of everything they say to the attacker.

The attack on Amazon’s Echo works much in the same way. If the horoscope skill is used, the Echo will continue to listen in on a user even if they have asked the skill to “stop.”

Another attack can even be used to phish a user’s Google or Amazon password. Another video from SRLabs shows how a fake error message is used to enable the microphone before an Echo asks for a user’s Amazon password in order to install an alleged update.

SRLabs says it made Google and Amazon aware of the issue after its discovery, allowing both companies time to patch the flaws before going public.

Neither company says it has found any evidence indicating that the vulnerability was exploited in the wild.

Unfortunately, this is not the first time such vulnerabilities have been found in smart home speakers. And it’s unlikely to be the last.

Mikael Thalen

Mikael Thalen

Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.