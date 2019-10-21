IT SEEMS AMAZON AND GOOGLE'S smart speaker skill review processes weren't quite all that and a bag of chips.

German researchers managed to get not one, not two, but eight apps onto the Google Home and Amazon Echo which would transcribe user conversations or attempt a cheeky password phishing attempt.

As explained to Ars Technica, all eight skills made by Security Research Labs passed Google and Amazon's review processes, but each of them had a sneaky hidden ability.

By coding in a symbol that neither Alexa or Google Assistant could pronounce, the virtual assistant would seem to go quiet, making the user think the task had been completed and the smart speaker was sleeping once again.

This wasn't the case. For one, the device would spew out a fake error message before going silent. After a period of silence, a message would emerge pretending to be from the speaker saying it needed a password for a security update.

The second appears to do its task, reading out a horoscope before going silent and then transcribing what's said afterwards. Alarmingly, the researchers were able to get it to do this even after users said "stop" which should have killed the app.

Security Research Labs has written a blog post explaining the whole procedure, but not before privately disclosing the exploits to both Amazon and Google, which have duly plugged the vulnerability.

"We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified," Amazon told Ars Technica. This includes measures to prevent the word "stop" being repurposed, and for skills asking for passwords.

Google gave a shorter statement simply stating that the company is "putting additional mechanisms in place to prevent these issues from occurring in the future."

Both responses are, at best, only partially reassuring. Anybody can patch vulnerabilities after they have been found - the real question is why these were allowed onto both devices in the first place. The question as to whether a smart speaker could be a security risk is no longer purely a theoretical one. µ