It's dismayingly easy to make an app that turns a smart-speaker into a password-stealing listening device and sneak it past the manufacturer's security checks

Cory Doctorow 9:49 pm Sun Oct 20, 2019

German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps were successfully smuggled past the companies app store security checks.

The basic workflow is this: the app is invoked by a voice command ("Give me my horoscope"), then appears to terminate, by playing a null character (U+D801), which is played as silence. After a long interval, the speaker then spoke in a voice that terminated the speaker's OS, with a fake error message asking for a password to allow for a security update.

The researchers reported their findings to Google and Amazon and withdrew their apps from the manufacturers' app stores, both companies say they are putting new policies in place to prevent similar future attacks.

All of the malicious apps used common building blocks to mask their malicious behaviors. The first was exploiting a flaw in both Alexa and Google Home when their text-to-speech engines received instructions to speak the character "�." (U+D801, dot, space). The unpronounceable sequence caused both devices to remain silent even while the apps were still running. The silence gave the impression the apps had terminated, even when they remained running.

The apps used other tricks to deceive users. In the parlance of voice apps, "Hey Alexa" and "OK Google" are known as "wake" words that activate the devices; "My Lucky Horoscope" is an "invocation" phrase used to start a particular skill or action; "give me the horoscope" is an "intent" that tells the app which function to call; and "taurus" is a "slot" value that acts like a variable. After the apps received initial approval, the SRLabs developers manipulated intents such as "stop" and "start" to give them new functions that caused the apps to listen and log conversations.

Alexa and Google Home abused to eavesdrop and phish passwords [Dan Goodin/Ars Technica]

Terrifying tale of an airport mix-up that turned a MacBook into a paperweight

Paul McMahon, a software developer in Tokyo, shared the nightmarish experience of what happened when he didn't set up Find My on his new MacBook Air. As Paul describes, "Thanks… READ THE REST
U.K. backs off plan to ban end-to-end encryption

Authorities in Britain have admitted they cannot ban end-to-end encryption without making private communications insecure [Financial Times], an outcome that implicates everything from bonking to banking. The effort, posed as… READ THE REST
Woman's credit card can't be lifted from the ground

Forget the ambient temperature superconductor announcement from yesterday; the remarkable property of this credit card is the real "brand-new historical event that opens a new era for humankind." Recorded on… READ THE REST
Save $169 on a lifetime license to Microsoft Windows 11 Pro and never look back

TL;DR: Revamp your digital world with this incredible lifetime license to Microsoft Windows 11 Pro, with its seamless interface and top-notch security, for only $29.97 (Reg. $199) until 11:59 PM on 1/07.… READ THE REST
Upgrade your tech for the new year with this refurbished iPad Pro, less than half price right now

TL;DR: Save over $350 on a refurbished Apple iPad Pro 10.5" 256GB, plus a free accessories bundle, with this sweet deal on sale for just $315.99 right now. Tech fans, it's time… READ THE REST
Make your rockstar dreams a reality for only $15.97 with this Guitar Lessons Training Bundle

TL;DR: The perfect last-minute holiday gift for an aspiring rocker, the 2024 Guitar Lessons Training Bundle is only $15.97 (Reg. $480) until 11:59 PM on 12/25. It's really never too late to make… READ THE REST