Berlin Berlin security researchers have after a report by the news magazine "Der Spiegel" Vulnerabilities in the sharing process of smart phone apps Amazon and Google uncovered. Researchers at the Berlin-based Security Research Labs (SRLabs) were able to use the official app stores for Amazon Echo and Google Home to distribute apps that let users of an Amazon Echo or Google Home listen unnoticed. It was managed to outsmart the security controls of Amazon and Google
The SRLabs researchers initially had harmless variants of the apps that are called "skills" on Amazon and Google "Actions" or "actions", submit to the company and unlock. The apps were able to answer user requests, for example, according to a horoscope and then faked their inactivity.
After the first security check, however, the apps were changed so that they continued to listen after a "goodbye" message. The unauthorized functions of the manipulated app were not discovered by Amazon and Google.
The researchers also tried in their experiment to get the passwords of Amazon or Google users. The manipulated apps responded to every user question with an error message. This said that the corresponding function was currently not available. Afterwards the users were referred to an alleged security update: "Please say 'Start' followed by your password".
For inattentive users it had to sound as if the request came not from the app, but directly from Amazon. The researchers said users should always be suspicious when asked for their password and say it out loud.
In practice, the apps virtually did no harm, because they first had to be found and installed among the thousands of skills and actions. In addition, the Berlin researchers could not override an important security feature: the smart speakers indicate with bright color signals that they record the language. Users who paid attention to the LED signals were thus informed that the voice transmission is still running.
The experiment exposed grave flaws in the release of app updates on Amazon and Google. They only paid attention to the fact that the "skills" or "actions" did not work like listening bugs when the apps were first added to the store. During the updates, the newly installed leaks were not detected.
The SRLabs researchers informed the companies about their experiments, which then responded. "We have taken protective measures to detect and prevent this type of skill behavior. Skills are rejected or removed as soon as such behavior is identified, "said Amazon to the" mirror ". A Google spokeswoman wrote on request, "We prohibit and remove any action that violates our policies." The actions developed by the researchers Google deleted. ".
More: Language technology like Alexa is considered the key to the entire tech industry. But reality is still a long way from the bold visions.
. (tagsToTranslate) Google (t) Amazon (t) Security Researcher (t) Berlin Security Labs (t) App Store (t) Alexa (t) Language Assistant (t) Internet Account (t) App (t) E-Commerce (t ) Computer Technology Digital Assistant (t) Internet (t) Sales (t) Research Field (t) Search Engine (t) Artificial Intelligence AI