An Interest In:
Web News this Week
- March 31, 2024
- March 30, 2024
- March 29, 2024
- March 28, 2024
- March 27, 2024
- March 26, 2024
- March 25, 2024
It's dismayingly easy to make an app that turns a smart-speaker into a password-stealing listening device and sneak it past the manufacturer's security checks
German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps were successfully smuggled past the companies app store security checks.
The basic workflow is this: the app is invoked by a voice command ("Give me my horoscope"), then appears to terminate, by playing a null character (U+D801), which is played as silence. After a long interval, the speaker then spoke in a voice that terminated the speaker's OS, with a fake error message asking for a password to allow for a security update.
The researchers reported their findings to Google and Amazon and withdrew their apps from the manufacturers' app stores, both companies say they are putting new policies in place to prevent similar future attacks.
Read the restAll of the malicious apps used common building blocks to mask their malicious behaviors. The first was exploiting a flaw in both Alexa and Google Home when their text-to-speech engines received instructions to speak the character "." (U+D801, dot, space). The unpronounceable sequence caused both devices to remain silent even while the apps were still running. The silence gave the impression the apps had terminated, even when they remained running.
The apps used other tricks to deceive users. In the parlance of voice apps, "Hey Alexa" and "OK Google" are known as "wake" words that activate the devices; "My Lucky Horoscope" is an "invocation" phrase used to start a particular skill or action; "give me the horoscope" is an "intent" that tells the app which function to call; and "taurus" is a "slot" value that acts like a variable.
Original Link: http://feeds.boingboing.net/~r/boingboing/iBag/~3/EhrBsK0VGsw/verify-me.html