Phishing for passwords with Amazon Alexa & Google Home

TL;DR

• Security researchers successfully built phishing apps for Alexa & Google Home
• The phishing apps pretend to have closed, but secretly stay listening
• The apps successfully got through Amazon & Google security vetting
• Can be used to phish for passwords, and other sensitive data
• Great opportunity for security professionals to provide relevant, targeted education to end-users

Full story

More concerning news for those using Amazon Alexa and Google Home has been published by Arstechnica - with whitehat hackers at Germany's security labs successfully developing phishing apps for both Alexa and Google home. These phishing apps successfully made it through Amazon and Google's security vetting process, Dan Goodin of Arstechnica explains:

"By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.

Now, there's a new concern: malicious apps developed by third parties and hosted by Amazon or Google. The threat isn't just theoretical. Whitehat hackers at Germany's Security Research Labs developed eight apps—four Alexa "skills" and four Google Home "actions"—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these "smart spies," as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords."

The news is likely to present a concern to both home users and organisations; and will no doubt fuel the conversation around the privacy implications of smart device security and whether they should be disclosed to visitors. It will also likely raise questions around the security vetting processes used by Amazon, Google and Apple - specifically how more can be done to ensure users of their products are protected from malicious third-party apps.

As security professionals, what can we do?

As ever, raising security awareness of the risks of smart devices is critical; enabling people to make more informed security decisions, both at work and at home. At CultureAI, we recommend clients identify employees that use these products at home and use this insight to provide targeted, highly-relevant and effective security education without the risk of over-training employees that don't use them. If you don't have an easy way to do this; give the CultureAI platform a shot for free below, or use the link to talk to one of our cyber security culture experts who will be happy to help.

For those already using CultureAI; your employees will already have this alert in their cyber security centre and be able to access professional security advice if they have one of these devices.