- This Twitch streamer pooped his pants during a broadcast 3 Months Ago
- Apple’s iCloud encryption plan halted amid FBI pressure, report Today 10:57 AM
- Glenn Greenwald charged with cybercrimes in Brazil Today 10:48 AM
- BadBunny rips her fans for not sending her enough money Today 10:06 AM
- White rapper punched in the face for saying the N-word during battle Today 9:21 AM
- Hillary Clinton blasts Bernie Sanders, says ‘nobody likes him’ Today 8:57 AM
- Someone found Harry Styles’ doppelganger—and TikTok is obsessed Today 8:08 AM
- Patrick Stewart has spoken to Kevin Feige about playing Professor X again Today 7:16 AM
- ‘Shrill’ season 2 expands its world and point of view Today 7:00 AM
- Trans/Sex: Let trans art be messy, weird, and uncomfortable Today 6:00 AM
- Pediatrician gets death threats after pro-vaccine TikTok video Monday 9:37 PM
- This Australia-themed dildo is raising money to fight the bushfires Monday 8:26 PM
- Influencers say they’ve received unwanted sexual solicitations worth thousands Monday 7:39 PM
- Pregnant woman masterfully trolls gender-obsessed relative Monday 3:05 PM
- HBO’s ‘Curb Your Enthusiasm’ returns from a 2-year break with brand new ways to make you cringe Monday 3:00 PM
Security researchers have revealed a new vulnerability in two popular smart speakers that could have allowed an attacker to eavesdrop on or phish users.
The discovery, made by German hacking research collective SRLabs, found that malicious code could be loaded onto both a Google Home device and Amazon Echo to listen in on users and demand their passwords.
To carry out the attack, SRLabs developed an Alexa skill disguised as a horoscope tool and a Google action that claimed to be a random number generator.
When a user would ask the Google Home for a random number, for example, the device would comply and then play a fake sound that mimics the sound used to indicate that the action has ended. In reality, the device continues to listen to the user and sends a transcript of everything they say to the attacker.
The attack on Amazon’s Echo works much in the same way. If the horoscope skill is used, the Echo will continue to listen in on a user even if they have asked the skill to “stop.”
Another attack can even be used to phish a user’s Google or Amazon password. Another video from SRLabs shows how a fake error message is used to enable the microphone before an Echo asks for a user’s Amazon password in order to install an alleged update.
SRLabs says it made Google and Amazon aware of the issue after its discovery, allowing both companies time to patch the flaws before going public.
Neither company says it has found any evidence indicating that the vulnerability was exploited in the wild.
Unfortunately, this is not the first time such vulnerabilities have been found in smart home speakers. And it’s unlikely to be the last.
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.