Researchers Turn Alexa and Google Home Into Credential Thieves
Eight Amazon Alexa and Google Home apps were approved for official app stores even though their actual purposes were eavesdropping and phishing.
"Alexa, steal my passwords." It's not a phrase a user is likely to utter, but security researchers in Germany have shown that it's possible for malicious apps — Alexa "skills" and Google Home "actions" — to launch phishing attacks on users, forward the compromised credentials to criminals, and do it all in apps approved for use by the voice-assistant giants.
Security Research Labs, a white-hat research organization, developed a total of eight apps, four each for Amazon Alexa and Google Home, that masqueraded as horoscope checkers or a random number generator. The apps triggered malicious actions based on action words like "stop," while continuing to operate after users thought they had closed.
According to the researchers, both Amazon and Google removed the malicious apps when presented with evidence of their capabilities. Each of the companies also said they have adjusted practices and policies to prevent similar apps from being added to their stores in the future.
"At this point, consumers have devices that record audio, and often video, in their pockets and homes. We're surrounded nearly 24/7 by devices with the capability to eavesdrop. It should be no surprise that such a broad target surface is attractive to attackers," said Tim Erlin, vice president, product management and strategy at Tripwire, responding to the use of these voice assistants as an attack surface.
Read more here.
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.
About the Author(s)
You May Also Like
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024