Security Research Labs, a hacking research firm, said it discovered the flaw earlier this year and reported it to Amazon and Google. On Sunday, the firm posted a series of videos demonstrating how someone could exploit it.

Amazon and Google told CNN Business the security issue has since been fixed.

With the latest issue, SRLabs found hackers could have exploited the access Amazon and Google give third-party app developers to improve apps. Hackers could have used this access to customize commands that trigger a response from a home assistant.

In videos posted to YouTube, SRLabs showed how an app that works with Alexa or Google’s voice assistant could be programmed by a hacker. In one demo, a user opened an app via a voice command and was told it does not run in their country. The voice assistant was then silent. However, unbeknownst to the user, it continues to run in the background, listening for prompts. After a few minutes, the voice assistant said there was a company update and asked the user to say their password.

Amazon and Google assistants do not ask users to reveal passwords when working correctly.

There doesn’t appear to be evidence that any hackers actually carried out the manipulation to the voice assistants.

An Amazon spokesperson told CNN Business the company “quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified.”

Google said it also promptly fixed the issue, noting it prohibits and removes any action that violates its policies.

READ  Report finds ransomware recovery firms simply paying attackers| SC Media - SC Magazine

“We have review processes to detect the type of behavior described in this report, and we removed the actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future,” a spokesperson said.



READ SOURCE

WHAT YOUR THOUGHTS

Please enter your comment!
Please enter your name here