Hackers are able to spy on Amazon Alexa and Google Home users by eavesdropping on their conversations, it has been revealed.
The troubling technical loophole also allows cyber-hackers to gain access to sensitive info by tricking them into hading over passwords in a “phishing” attack.
Online security experts claim these issues have persisted for at least a year and say millions of smart assistants users could be at risk due to the glitch.
The problem arises when users download custom apps which have back-end vulnerabilities that can be exploited by hackers, reports ZDNet .
By adding a single character to the back-end code of a normal Alexa or Google Home app, they can induce long periods of silence during which the assistant remains active.
This means it can record your conversations and then log them on an attacker’s computer.
The rogue app could also create a phishing attack by demanding a password while faking as an update message from Amazon or Google.
Due to the long delay, users will not be aware the phishing message is from a rogue app they were using previously.
“A horoscope app triggers an error, but then remains active,” researchers explain.
“And eventually asks the user for their Amazon/Google password while faking an update message from Amazon/Google itself.”
“Customer trust is important to us, and we conduct security reviews as part of the skill certification process,” an Amazon spokesperson said.
“We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behaviour and reject or take them down when identified.”
Amazon confirmed this exploit no longer works on its own systems – and stressed the blue ring visual indicator indicates that audio is still streaming.
“All Actions on Google are required to our developer policies, and we prohibit and remove any Action that violates these policies,” a Google spokesperson told The Sun.
“We have review processes to detect the type of behaviour described in this report, and we removed the Actions that we found from these researchers.
“We are putting additional mechanisms in place to prevent these issues from occurring in the future.”
It is not clear if anyone has been affected by these security hacks, but only occur if the user has downloaded a rogue app.