Researchers from the German internet security company Security Research Labs (SRLabs) warn about rogue apps for the smart speakers Google Home and Amazon Echo. The company discovered a possibility to intercept users via third-party apps.
The rogue audio apps use a feature in the Google and Amazon speakers that can be used to expand the functionality of the devices. This can be done by installing a so-called 'action' or 'skill' respectively.
SRLabs developed rogue apps for both speakers. Just like the smart assistants of both companies, these apps work with voting commands. Users can say a command and then put the virtual assistant to work.
In both scenarios, the apps abuse the punctuation mark " " followed by a period and a space. Because the character cannot be pronounced, the microphone of the speaker remains activated without the user noticing.
The rogue app could then try to send the information to its own servers by convincing the user to pronounce the word 'start'. In this way, a hacker could, for example, capture personal information, email addresses or passwords.
Although the method has not yet been spotted in the wild, the researchers do warn people of possible abuse. "Users should approach a new speech app just as carefully as installing a new app on their smartphone."
See also: This is how you keep your smartphone free of rogue software