Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Tony Tortorici, Associate Director – Technology Security Platforms, AT&T, Matt Keyser, Principal Technology Security, AT&T and John Hogoboom, Lead Technology Security, AT&T.
John: Hey, Tony. I hear you have a story about some of these smart home devices and their ability to eavesdrop on you.
Tony: The researchers were doing some work around the Alexa and the Google home smart devices. Now, as we all know, with these things being in our homes, if we're not muting them, they're out there listening. They're listening for a reason. You need to initiate them by, "Hey, Alexa," or "Okay, Google," to have them wake up and actually do the work that you want them to do.
The researchers at SRLabs said, "If we create these apps, can we do some sort of eavesdropping or even take it a step further and use them for phishing for sensitive information for the users of their apps?" It's not necessarily the devices, it is about these apps that these developers or these researchers created.
As a first step they focused on eavesdropping. They created an app related to your daily horoscope. Then they’d say, "Okay, Google. Can you tell me my horoscope? I'm a Virgo or Leo or whatever." And the app will actually produce your daily horoscope. But what the developers of these nefarious apps did was they actually had it pause afterwards. It gave that feeling to the user that you got your horoscope and the application had stopped. But it would loop. Every nine seconds, it would sit there and try to see if there's any more speech happening. If it did hear speech, it would convert the speech to text. Then it would port the text out to a server.
Since they were researchers and they were not doing anything truly nefarious, just trying to see if their theory worked, they tested this. There are videos that show them talking. As they're talking to the camera, with these videos, a screen is up and you can see their speech being transferred to text. That shows that you can actually move that data outside, away from your home, and you now have the ability to eavesdrop.
Now, the one thing that they did with these particular apps is, after 30 seconds, if it detected no speech, the application would actually cease. It would do what it was supposed to do if it was a non-nefarious app. Now, they took it, and they decided, "Okay, we can eavesdrop. Can we actually phish these people?"
So they built another set of apps. These were the sneaky ones because if you installed these apps and then tried to initiate them, it would use the voice of either Alexa or Google to say that there was an error with the application and it's not able to function within your country. What happens after that is they pause for 60 seconds. It gave that feeling again to the user that the app had stopped. Then, after 60 seconds, it would say in the same voice of the smart device that “there is a new update, and if you would like to update to install immediately, please say a phrase, and then your password”. Now, with these researcher videos, there was a screen up. When the user went to the smart device and said the phrase and their password, and you saw it on the screen.
That proved that with these nefarious apps, that you can phish a user in their own house. With this video, it was an Alexa, so it was your Amazon password. You could also craft an app to use it to obtain credit card information or really anything else. Lastly, it looks like the smart home device companies at least identified this problem and fixed it.
To all of us that have these devices in our home, we just have to be careful what we download. It's not the smart device, but it's what you, as a user, put on them that could be detrimental to you.
Matt: So it seems very easy, at least from an Amazon Alexa perspective, to install a new app that when you speak the name of the app -it starts right up. It's very easy, I think, to name apps similarly to existing ones, and if someone misspeaks, they may accidentally kick off the wrong version of the app. I'd love to see someone do some research on how close they allow you to name things to existing popular applications, to attack that name space.
John: Right. Unlike most devices that we install apps on, you have very little visibility into when an app has been installed, what apps are installed, and more importantly, how many people have installed that app otherwise. So like normally, when I'm going through and installing an app from the App Store, even the legitimate one, and I do a search, I'll see multiple results, I'll say, oh, only five people have installed this one but this one has 50,000 installs. The 50,000-intall one, that's probably the real one as opposed to the very low count ones, especially when you look in the Android Marketplace. I've noticed that rogue apps can slip in and they usually have lower counts but have very similar names to the legitimate app.
Matt: That's if you're looking at the Alexa app itself on your phone.
John: Right, which I would never really do, usually.
Matt: Right, I mean, I think most people will set it up once and then do everything they need to through the voice interface which has unlimited bandwidth. And if you had to instruct people, "All right, before you install an app, have Alexa tell you how many stars it is and how many people have downloaded it and give you a description of it," people would say like, "No, just install it. I just want to run it."
John: Yes, that's what most people would say. But security-minded, security-conscious people like us, we'd probably say, "Well, I don't know. Is this the real one or is this the bogus version of this app?" I guess the onus is on Amazon and Google to make sure their marketplaces are vetted for this type of thing, and it sounds like they're going to make some additional changes to be able to detect this type of thing more proactively and stop people from making a similar rogue app like this.
I would be very careful and audit your phone apps now and then. You can look at what apps have been actually installed. Maybe do that every once in a while, just to see if anything unexpected has been added based on something you might have said and not realized that it actually installed a new app onto your device.
Matt: And personally, I think if you have one of these at your house and it has a physical mute button, you may want to use that and keep it muted at times when you're not using it.