The sound of silence is actually the sound of a malicious smart speaker app listening in on you Google Home and Amazon Alexa can easily be hacked to eavesdrop on users or extract information by asking questions that appear to come from each smart speaker provider, according to researchers. Both platforms can be extended by third-party developers. Such apps are called Skills for Alexa and Actions for Google Home. These …
So it sounds like they're relying on some sort of (likely automated) code inspection and possibly behavior analysis to "mitigate" this type of thing which - to put it charitably - doesn't work 100% of the time if the continued parade of malicious app notices is anything to go by. I take it there's no version of CTRL-ALT-DEL or otherwise reserved command (or physical interface, god forbid) to prevent third-party apps from masquerading as the OS?
Or you could save yourself the headache of repeatedly notifying your houseguests that they might get surveilled and a pocket a little money and not buy any of these incredibly insecure and intrusive "smart" speaker devices. Of course that means you have to haul your butt off the couch and turn off the light switch or order a new blu-ray yourself. Or maybe buy one of those old "clapper" deviices so you can clap on and clap off stuff.
My separated wife has one of these in her flat. I have only been there once and avoided talking about our relationship. I would absolutely not have such a thing in my house. I have denied the Google App permission to access the microphone on my Android phone because the idea of having something constantly listening creeps me out.
I would in effect do the same to Siri if I had an iPhone. When I upgraded to Sierra on this laptop I was offered Siri on setup but declined. I have so many people from decades in my address book and the idea of handing them over to a service gives me the horrors as does curating them in some way first.
Just like one thing which helped keep me of Fb for so long was tales of address books being raped and 'Hey I'm on Fb' messages sent to everybody on them when the App is installed horrified me. The privacy people surrender unthinking for 'services' just appals me.
Google could offer an switch (I'd like a hardware one personally) for mics/software on/off.
Buuuut that'd eat into their bottom line, marketing and customer "engagement", thus never going to happen (see Apple for other examples of reality distortion fields that must not be interfered with).
Unfortunately, I know some who in all seriousness would suggest that as a potential solution....
I'm talking people with PhDs who want "voice activated" devices in labs where highly confidential work is being done.
Why?
Because they can't be arsed to walk over to the light switch to turn it off....
Because they find them useful, of course.
If you carry a smartphone, your privacy is already badly compromised. If you use it to browse the Web and make comments on ElReg, even more so. And if you read your email on it, then... Really, at that stage I'm not sure what more you think you have to lose.
But lots of people do all these things, and I haven't even mentioned Facebook yet.
It's a trade off. It may not interest you, but it seems unreasonable to expect it not to interest anyone else.
> ...a bot.
Nope, a person. From his web site https://www.f6s.com/ilyageller : "I patented textual search: I own Internet and Database Industry." His accounts are (the last two still active):
https://forums.theregister.co.uk/user/76698/
https://forums.theregister.co.uk/user/93706/
https://forums.theregister.co.uk/user/93934/
https://forums.theregister.co.uk/user/94029/
https://forums.theregister.co.uk/user/94039/
Will report hist post because his bloviations actually annoy me.
I don't think we need a new name for this, but this isn't social engineering. Social engineering is when you convince a person to trust you when they shouldn't and you leverage that trust. This is exploiting an unexpected vulnerability in a device so a user's data can be exfiltrated. It's malware, not social engineering. The easy way to determine the difference is whether a person needs to be involved. After writing this skill, a malicious person can push it out and get recordings of users without ever having to personally interact with any of them.
It's wonderful that both Amazon and Google had to specify that they've taken down the proof of concept malware skills. As if we didn't already figure that. What we want to know and what they refuse to tell us is whether they're actually taking any of the necessary steps to prevent active use of the same tactics. From their statements, Amazon seems to be saying "Yes we made a change, but don't ask for details. Trust me, it's fine" and Google appear to be saying "We already did, so we didn't have to make a change, it's fine, and we don't need you poking about now go away". I'm taking both statements with the annual salt output of Bolivia.
"Known as the preserver, Vishnu is one of three supreme Hindu deities, along with Brahma and Shiva. Vishnu's role is to protect humans and to restore order to the world. His presence is found in every object and force in creation"
So that makes it sound like 'vishing' should be a good thing (like the Alexa TV ads)... but in practice!...
I was given an Alexa about a year ago, it got installed and we all got bored with it within 2 days and it's been unplugged since! Three people in our house, all tech savvy and not one of us could find a use for it and it's sat in the cable drawer by the TV since.
My father has one and 'cos he's almost 80 and his memory is not as sharp as it once was so he uses his Alexa to make reminders for sorting things out he has to do, remind him to take his meds and such like but he lives on his own and it sits in the kitchen out of the way. He's never installed a single skill and is happy to use it as a clock and note taking machine.
> If there's an off-line version of the note-taking/reminder function then I'd like to know. My memory is appalling.
It's called a Dictaphone. Just attach it to your belt with a extendable cord thingy. Then when you go "Why the hell's this attached to my belt?" You'll be reminded (by the big label on the back) to play it occasionally. Simples.
because they interfered with their own data collection that is baked into these things.
I know that I'm slightly paranoid but I made the decision not to have any of this stuff in my home ever!
I do use Siri but only in the car for CarPlay. I have shortcuts that turn it off and on on the phone. Otherwise, she is dead.
IMHO, anyone who puts one of their devices (Google or Amazon) in their homes is certifiable. As a race, we are sleepwalking into a world that I hate more and more every day. Nearly time to drop out, go off grid and become an eco warrior (for what good it will do but it sounds nice). I would if it wasn't for my aged Mother still being alive.
1984 (Big Brother etc) was supposed to be a warning not a cookbook.
I echo (ha! ha!) the wise comments here on the unfathomable trend to have one of these things, BUT there is a real utility to be had in the case of, for example, an elderly relative. Are there viable alternatives (are you listening Pi crowd?) that listen out for a key phrase then pass the recognised query to an appropriate recipient (search engine, phone call etc.?
Google Home and Amazon Alexa can easily be hacked are designed to eavesdrop on users or extract information by asking questions that appear to come from each smart speaker provider...
TFTFY
Seriously - how the hell does anyone trust listening devices provided by companies whose business model is built around trying to figure out how to make you buy more stuff?
Stupidity - the eighth deadly sin.
You can tell people the risks, but they will happily ignore them because they think they know better.
Maybe they really do know their situation better than you do.
I have a blind friend who uses Alexa for many things: to set reminders, to announce email when it arrives ("new mail from Mike subject re hi from Honolulu"), to set timers, and to turn lights on and off.
Of course there are alternatives: take notes on a "Type and Speak", put talking timers around the house, ask a neighbor if the lights are on, stick remote controls to the wall with Velcro (label each with Braille), etc. I've used these. They suck.
Before you accuse others of "arrogance of ignorance," you might wish to educate yourself a little more.
[we have] "put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified"
Seriously, guys, four times in the last four paragraphs ? If that is not called padding out the word count, I don't know what is.
Your readers are generally intelligent people and many are technical. You do not have to repeat things to have them understood, and certainly not four times in four successive paragraphs.
So if you have an Amazon or Google audio spyware at home, not only Amazon and Google can eavesdrop on you (already happened, already emptily apologised for, already happened again and so on...), but so do random developers of Apps.
They should be happy, the Amazon and the Google: no headaches for monopolistic practices here. Cheers!
Definitely want to see proof of this - when it comes to Google devices.
If the device is speaking (audible or otherwise) - it is NOT transmitting microphone data anywhere.
If the microphone is open for longer than 60 seconds, the app will fail, if the app continues to rack up errors, it can be automatically unlisted.
If the app receives no interaction for a period of time, it will time out.
Additionally - "hackable"? You have to specifically request to start the dodgy app.
Hmmm
I realize that the application of the logic, critical thinking and common sense to the facts in hand is a rarity in government today. But golly gee wiz people, we have clear, irrefutable evidence that software is being used to commit crimes against consumers. And yet, there has been no effort by the government (at least here in the US) to demand the corporations stop. This despite the fact that it is not just third party hackers that have been "hacking" (stealing and spying) it turns out that the 2 corporations in question have been caught red handed repeatedly hacking and stealing from end users.
When a common citizen commits a crime and gets caught, they are immediately stopped, arrested and then prosecuted. When Google and Amazon commit a crime and get caught, (repeatedly) no one is stopped, no one is arrested or prosecuted. Instead, they are allowed to continue committing crimes. Google and Amazon must have their corporate charters revoked, the officers and controlling stock holders arrested, tried, convicted and jailed for their crimes. The rule of law applies equally to all or it is just another form of tyranny.....
Suggested design:
1. Cheap Chinese box with two ethernet ports, 4GB memory, 1TB disk space
2. Ethernet 1 connected to broadband device (e.g. BT Hub)
3. Ethernet 2 connected to a port on home router
4. Real time software simply copies all traffic: Ethernet1 <---------------> Ethernet2
5. Real time software LOGS the time and IP address targets for all packets (like iptraf)
6. Batch software uses whois to analyse the log. Over time, user builds list of bad IP address targets (e.g. Amazon, Google, Microsoft, etc)
7. User notes spying using IP targets and timing (e.g. no one on the internet, but Amazon traffic!)
*
Does anyone know whether I can buy such a device, and whether there might be some open source software to use?
*
Pity that this approach can't be done on a smartphone (or can it be done even there?).
Does anyone know whether I can buy such a device, and whether there might be some open source software to use?
PC Engines for the hardware ($US 126.50 + case $US 10 + M-Sata $US 18.40 + Power Supply $US 4.60).
pfSense for the software (open source).
I use this and a number of people I know use the same setup. There are cheaper boards and M-Sata drives available...
"All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report,
Is this the same legendary review process that works so well on the Play store?
/sarcasm
I actually tried to read a review on playstore the other day on my pc. Nocando. I mean, I expected a big shiny button (or a small, barely visible one) with "add a review", or something to that effect. No, nohing like this anywhere. I tried a couple of other browsers and, I was actually logged in to my google (fake) account. Well, apparently, the internets say: "open google play store" on your phone or your tablet. Right, fuck off then.
All this "smart" shit wouldn't be quite so bad if it actually fucking worked!
I use Amazon music on my phone after being mugged into getting Prime, and it's hooked up to one of those el-cheapo bluetooth to FM transmitters in the fag lighter. So far so good.
Amazon app, "Alexa play such and such" - works ok(ish) unless it's feeling un-cooperative (try getting it to play Count Basie without it saying "can't find count bessie").
Bluetooth FM jobby mic works exceptionally well, crystal clear on a phone call, so why the hell can't I say "Alexa, play such and such" when the app is merrily playing music on my locked phone in the car. That voice control would actually be useful. WTF is the point if I have to have phone unlocked and in my hand!
Similarly, Android itself won't do anything useful by voice control when locked in the car, but mention google in conversation to a colleague when it's locked on your desk and up it chimes with "No search results" or similar.
Ill conceived, useless shiny bullshit.
"What the researchers at SR Labs demonstrate is something security and privacy advocates have been saying for some time: having a device in your home which can listen to your conversations is not a good idea," security analyst Graham Cluley told The Reg.
No disrespect at all to Mr. Cluley; it's just astounding that this needed to be said at all.
There has been extensive reporting in the mainstream (i.e., non-tech) media about privacy invasions, tracking, and data breaches by Big Tech for years now. Anyone who is sufficiently aware of the world beyond their nose to know that these products exist, should also be at least dimly aware of their associated risks. If they buy (or continue to use) them anyway, well, caveat emptor.
"Actions have consequences. Ignorance about the nature of those actions does not free a person from responsibility for the consequences." -- Stephen Dobyns
'Start'
[oiSEJFPIhjtp87eyfoiadjgb[pugjb]-0ERIT8VHPT9AERMIAB[WRSUTG[9AEURVNTUwenbmt ,[oHRG9F7TNe-98rmuW,E[ JM QER0UYG 0oOTNVEW8HJVPITOWIERMV_GOUQERHTFPIWRBHYMIUWRH_MVOQ,J-W98ne vp89PSDIUFHPIADJMGOADIFY+HVPIAUDFHAGM OUDYFBG VODF VOUSD HFINFS PNHGSIB
Wait a second. Is that an 'oh' or a 'zero'?
I am not as familiar with the Google product as the Amazon, but all of the Amazon Echo products turn on their ring light whenever they are talking OR listening. That light cannot be turned off by the skill application. In addition, the skills do NOT have access to the raw audio, they only have access to the text transcription.
Also, if the Echo is "talking" it is only listening for its wake word. So you can preempt a voice prompt by saying "Alexa" to take it back to the top of the menu tree, but if you haven't said the wake word the skill only gets the transcription of what was said after "it" stopped "talking", and then only for a maximum of 30 seconds. The skill app can respond with a voice prompt and get a second 30 second chuck of transcription (the "are you still there, please tell me what to do" prompt) but after that the user has to reinvoke the skill.
That said, I have several of the devices and use them daily. Whenever someone publishes an article about them being "hacked" I read and research it. To date, nobody has published a true remote hack of the system -- including this last one by SR Labs.
In this case, their technique for extending the voice prompt does not gain them access to what is being spoken in the room at the time. Does it expose a weakness in the system -- Yes, because they are creating a "denial of service" situation -- but they are not creating a surreptitious remote audio monitor.
The echo is hard to "hack" because it doesn't execute any third party code. When you enable a skill you are downloading absolutely nothing to the echo, and you aren't changing a single bit or byte of its configuration. All you are doing is telling Amazon's cloud servers to allow add that skill's name to the rules that pre-process the text stream. The echo itself is a rather stupid device. Think of it as a limited functionality web browser that doesn't even have javascript and is limited to a single web site. You might be able to hack the cloud server, but you aren't going to have much luck hacking the end-user clients.
If a user can be tricked into installing an application, then it doesn't matter what the platform is be it a pc, phone, or digital assistant. The Echo does have a great microphone array, but is severely limited in processing power and storage. That's why you don't even get to create your own wake word -- they are hardcoded in the firmware and silicon is optimized for the hardcoded list.
Your cell phone is a significantly more appealing target to a hacker. Just like the Echo it has a microphone and internet connection, but unlike the echo it has significantly more storage and cpu processing power, has a much larger attack surface, and it is always with you instead of sitting next to you bed or on the kitchen counter.
Amazon may be able to send new firmware to an echo to turn it into a bug (say, at the "request" of a government) and that may be a legitimate concern, but the same can be said for just about any other connected or smart device. Anything more is a tinfoil hat situation.
.. I told the salesdroid I wanted a non-Alexa-or-otherwise variant when I went to get a few Sonos speakers.
It turns out there's a Sonos One SL model which doesn't have the talky bits in, and the couple I got test reasonable well - except when I hook them up to Airplay and let VLC play a movie. I need to investigate just how much I have to delay video by - it lags a lot.
I still may return them - the joy of online sales where I live is having 30 days to change your mind. I think quite a few countries do this now.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
