Monday, October 21, 2019

Alexa and Google Home - a Trojan Horse?

After many years have slipped by, the leaders of the Greeks,
opposed by the Fates, and damaged by the war,
build a horse of mountainous size, through Pallas's divine art,
and weave planks of fir over its ribs:
they pretend it's a votive offering: this rumour spreads.
They secretly hide a picked body of men, chosen by lot,
there, in the dark body, filling the belly and the huge
cavernous insides with armed warriors.

- Virgil Aeneid, Book II
The Turkish city of Çanakkale rests directly on the Dardanelles - the straight that separates Europe from Asia. It is the nearest city to the ancient city of Troy, made famous by Homer's Illiad and Virgil's much later Aeneid. These stories tell the tale of the Trojan Horse, where a gift is actually a ruse to smuggle unpleasant things into a place, generally to the ruin of said place.

Everyone knows the story of the Trojan Horse.  Çanakkale has a giant Trojan Horse on its waterfront.  You may even recognize it - it was built for the 2004 film, Troy.  The story is so well known that it's a tourist destination.

In computer security the term applies to malicious software that pretends to be useful.  Long time readers may recall Borepatch's First Law of Security: Free download is Internet-speak for "Open your mouth and close your eyes".  Sadly, this problem has been around for a long time and seems to be getting worse.

Alexa and Google Home appliances both allow third party apps, like the ones you get on your phone.  Well it turns out that these apps can listen in on the speakers in these devices:
By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.
Now, there's a new concern: malicious apps developed by third parties and hosted by Amazon or Google. The threat isn't just theoretical. Whitehat hackers at Germany's Security Research Labs developed eight apps—four Alexa "skills" and four Google Home "actions"—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these "smart spies," as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords.
"It was always clear that those voice assistants have privacy implications—with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes," Fabian Bräunlein, senior security consultant at SRLabs, told me. "We now show that, not only the manufacturers, but... also hackers can abuse those voice assistants to intrude on someone's privacy."
Fail.  Security wasn't an after thought, it wasn't thought of at all.  My recommendation is that you - like me - simply don't buy any of these damned things for your house.


Gorges Smythe said...


Eagle said...

Yes, I bought an Amazon "Dot". No, it was never plugged in unless I was playing with it and knew it was listening. Yes, it was fun for a short while.

But it quickly became boring.

It's been sitting on a shelf for months. Unplugged. Unpowered.

And unloved.

Life's like that, I guess...

Glen Filthie said...

The threat potential should be intuitively obvious, I’d think.

I refused to get sucked in to Twatter or Bookface because I knew that they would become tools of the wrong sorts of people to attack others they don’t like. Sure enough, every other day somebody is getting flogged for something they said 10 years ago.

For a guy like me with all the wrong opinions and nothing but contempt for the state and the people that run it... it’s a no-brainer. I can do without such contrivances.

Aesop said...

What are these strange home burglars of which you speak?

Never had 'em. Never will.

Even my dumb smart phone lives in a thick dark box while it's charging, and seldom accompanies me outside the house, let alone outside the car, unless I know I'm going to need it.

Even old-school POTS phones could have their handset activated without ringing through by Ma Bell, and I used to routinely leave the handset disconnected from the box, back in the day.

The internet is what it is, but it's tameable, if you bother.

Just John said...

I just always assume that my phone, laptop, or anything that communicates with the internet, is always listening. I remember finding a link somewhere that will show you all of your Google searches, and even play back the audio, if you did a voice search. If you ever forget what it was that you searched for, or can't find that old social media post, just run for public office; the local fishwrap will find it for you!