“Hey Google, can you please hack Alexa”?
Smart home assistants are pretty popular these days, and for a good reason – they are time-saving, convenient, fun and addictive!
Working in the cybersecurity industry and being familiar with the security risks that rely on IoT endpoint devices, I decided to take a closer look at these allegedly reliable-enterprise-produced devices before I connect one to my own home LAN.
I have to say that even though I thought that by now I’ve seen it all, I was still surprised with what I had found, and not in a good way…
Let’s start with voice squatting attacks.
These attacks take advantage of the inherent problem of smart assistants’ skills. The problem starts with the fact that these skills can be written by anyone, and aggravates as they can be downloaded by voice commands. Voice squatting is the attack of writing malicious skills that sound very similar to existing innocent ones, causing the user to download malicious code without even noticing. There are many related use cases; here are just two of them:
- Fake the “Capital One” bank skill as “Alexa, start Capital Won” or “Capital One Please”,
- Fake the “Entrematic Opener” skill as “intraMatic opener”.
Once you activate that skill, the malicious code runs, and your device can be exploited in many ways, depending on the code and specific device.
Another vulnerability that I found was what I call ‘Voice Abuse’. This simply means asking a smart assistant to do things it’s not supposed to do. For instance, one can potentially stand outside your window and use voice commands to perform purchases, phone calls, or any other enabled skill when you’re not home. Does this make you feel uncomfortable? Wait, there is more…
Another good old fashioned hacking method should be considered here as well: Google Home Hub, for instance, includes an undocumented, non-authenticated or encrypted API, designed to easily configure the device within the LAN. The fact that it’s intentionally kept that way is, I am guessing, that Google is counting on your home WiFi ‘protection’, probably as part of the company’s “providing the best user experience possible” philosophy.
Who am I to question Google’s philosophy? But I wonder if maybe this time they had gone too far I can’t stress enough how ridiculously insecure I find this strategy since today even much simpler and less popular smart devices encrypt all of their communications.
True, this API is only accessible from within the same network. However, this “home LAN protection” is persistently proven to be vulnerable, and hackers manage to find their way into our home networks and attack smart devices. In fact, they do it a lot. You are welcome to read more about it in our recent blog post, A New look about Home Network (in)Security.
The icing on the cake is when you combine the different vulnerabilities to perform an attack
How so, you may ask? Here’s one POCed example to spark your imagination: After accessing the home LAN, say by a router that enables port forwarding or anyway, an attacker can broadcast an Alexa command using another speaker or smart assistant on that network. As long as this command doesn’t require a second layer of authentication or voice recognition, there is nothing to prevent Alexa from performing the task.
Piece of cake!
Disclaimer: It’s not all bad. The companies and brands that develop these devices do care a lot about security. As a matter of fact, they constantly release security and mitigation updates.
For example, Amazon’s Alexa requires a second-factor authentication for opening doors (usually a PIN code), so burglars can’t just shout from outside for Alexa to open the front door.
Another good example of mitigation is the voice recognition in the Google Home device (though it’s not on by default, and you will need to enable it).
So, should we all get panicked?
I believe that the answer is: don’t panic. But worry? Absolutely yes.
Smart assistants are getting more and more popular, with 56.3 million smart speakers in 2018 (about 60% increase from the previous year). It seems that the day when every household will own at least one such device is near.
Although none of the vulnerabilities and exploitations described here are new or seen for the first time, most of them are still applicable. Why? I guess the companies and manufacturers behind are not too hasty about fixing these problems.
By the way, I didn’t even mention the several exploitations above that will be hard to fix or mitigate once did occur. That’s a whole other (sad) story.
For now, my Google Home is still connected, but I try to be careful about what I connected to it and monitor the activity continuously. I will also think twice before connecting any financial means to it any time soon. I wonder how long my carefulness will exceed my (or, more accurately, my family’s) eagerness for convenience and fun… That remains to be seen.