- QAnon-touting congressman sneaks ‘Epstein Didn’t Kill Himself’ into tweets Wednesday 7:12 PM
- Ocasio-Cortez met a famous drag queen–and the right melted down Wednesday 6:09 PM
- Woman says Lyft driver tried to kidnap her Wednesday 5:18 PM
- Debunking the right-wing conspiracy theories from today’s impeachment hearing Wednesday 4:29 PM
- Maroon 5 approves of the latest TikTok trend Wednesday 3:54 PM
- ‘One month left in the decade’ meme wants to know what you’ve accomplished Wednesday 3:53 PM
- Facebook Pay is the latest way to send your friends money Wednesday 3:31 PM
- Diving into ‘The Mandalorian’s first big shocker Wednesday 3:17 PM
- Disney+ will allow password sharing—to an extent Wednesday 1:12 PM
- Black server says manager refused to discipline coworkers who sent racist receipt Wednesday 12:47 PM
- Who is Jonah Hauer-King, Disney’s new Prince Eric? Wednesday 12:47 PM
- Cut Katherine Langford ‘Avengers: Endgame’ scene lands on Disney+ Wednesday 12:22 PM
- Planned Parenthood app to show abortion-seeking users their nearest options Wednesday 12:21 PM
- ‘The Imagineering Story’ offers touching insight into Walt Disney’s vision Wednesday 11:57 AM
- YouTube mom who was charged with child abuse dead at 48 Wednesday 11:39 AM
Security researchers have revealed a new vulnerability in two popular smart speakers that could have allowed an attacker to eavesdrop on or phish users.
The discovery, made by German hacking research collective SRLabs, found that malicious code could be loaded onto both a Google Home device and Amazon Echo to listen in on users and demand their passwords.
To carry out the attack, SRLabs developed an Alexa skill disguised as a horoscope tool and a Google action that claimed to be a random number generator.
When a user would ask the Google Home for a random number, for example, the device would comply and then play a fake sound that mimics the sound used to indicate that the action has ended. In reality, the device continues to listen to the user and sends a transcript of everything they say to the attacker.
The attack on Amazon’s Echo works much in the same way. If the horoscope skill is used, the Echo will continue to listen in on a user even if they have asked the skill to “stop.”
Another attack can even be used to phish a user’s Google or Amazon password. Another video from SRLabs shows how a fake error message is used to enable the microphone before an Echo asks for a user’s Amazon password in order to install an alleged update.
SRLabs says it made Google and Amazon aware of the issue after its discovery, allowing both companies time to patch the flaws before going public.
Neither company says it has found any evidence indicating that the vulnerability was exploited in the wild.
Unfortunately, this is not the first time such vulnerabilities have been found in smart home speakers. And it’s unlikely to be the last.
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.