Google Home, Amazon Echo, HomePod: Why should you worry about hacking connected speakers?

When we think of Google Home, Amazon Echo or HomePod, we tend to underestimate security. However, these speakers that connect to powerful personal assistants such as Google Assistant, Amazon Alexa or Siri open up new horizons for hackers who can carry out new types of attacks that do not involve opening a program directly by the victim or visiting a compromised website. page, among other examples. Depending on how these assistants work, it’s possible to take control of the microphone to remotely launch programs, open web pages, purchase, control connected objects, and even spy on conversations.

Google Home, Amazon Echo, HomePod: How hackers can hack connected speakers

Google Home, Amazon Echo, and HomePod are vulnerable to software attacks: basically, these speakers are computers permanently connected to the internet. In 2017, security researcher Mark Barnes (MWR Info Security) demonstrated how to exploit vulnerabilities in the Linux variant installed on Amazon Echos to remotely open a command prompt with administrative privileges. Allowing the speaker to say something. But also, for example, to spy on all the conversations taking place around the Amazon Echo by listening to the microphone.

Of course, the software part can be patched and with regular updates, the security on this side can be pretty well guaranteed. But there are other types of attacks that are more insidious and difficult to avoid. The first involves trying to talk to the enclosure to get it to perform actions. A hacker could for example put the words ‘Ok Google’, ‘Hey Siri’ or ‘Alexa’ in a video followed by an action to take. For example, it can be launched on a speaker like Amazon Alexa, Skills unofficial. To make it less recognizable, hackers can disguise their commands in homonyms, that is, in a way that sounds (and is understood to be) the same as a command.

Giving secret and even unheard orders: it’s possible!

A more sophisticated variant is to combine such attacks with a stealth malware application. For example, a popular program that works normally but can recognize a voice command and prompts the voice assistant to respond in a specific way, triggering the launch of malicious code or opening a Web page. So, a secret command posted in a YouTube video can trigger a malicious app to wake up or another app to start, making the helper respond with something suggesting the app was closed, for example. background.

In relation :  OnePlus Watch: the brand is preparing to launch its first connected watch

These two techniques are alsoa publication of the chinese academy of sciences. Finally, and this is probably more worrying, it is possible to completely hide a hacking attempt by issuing commands that are inaudible to the human ear. In a May 2018 article, The New York Times reported that Siri, Alexa, and Google Assistant react when voice commands are given on the ultrasound band – an attack called DolphinAttack. In the video below, researchers from Zhejiang University demonstrate the attack on an iPhone. However, this type of command requires relative proximity to the target relative to the device emitting the ultrasound.

They don’t go through walls either. But do well with an open window – researchers at the University of Illinois have shown that the attack can be carried out from a distance of just over 7 meters. Speaker manufacturers all claim to take precautions to make sure their speakers are safe. Apple says the HomePod cannot perform certain sensitive actions, including unlocking doors, and requires iPhones and iPads to be unlocked before performing certain actions.

Google assures that its assistant is security devices against unheard commands. Finally, Amazon is happy to say it has taken measures to secure its Echo speaker. However, this type of attack is still possible in these speakers. Apart from updating regularly and paying close attention to installed apps on all devices, there are few ways to truly protect yourself on the user side. As of January 2018, Google Home had sold 10 million units worldwide. With reasonable prices and an aggressive commercial policy (the Google Home Mini is sometimes bundled with other purchases), these speakers will increasingly find their way into homes.

Not to mention the upcoming arrival of the Amazon Echo, HomePod, and Djingo, the connected speaker from Orange. The security of connected speakers can become a big issue later. What do you think about the entry of these new devices into our homes and the risk they pose to security? Share your views in the comments!

Moyens I/O Staff has motivated you, giving you tips on technology, personal development, lifestyle and strategies that will help you.