Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Smart Speaker Malware Can Record You and Steal Passwords

by Elizabeth Harper on October 24, 2019

With one third of U.S. households owning a smart speaker, according to the Consumer Technology Association, they are fast becoming must-haves for your smart home. Unfortunately all of that convenience comes with a potential cost. Researchers have discovered that malicious apps can make your smart speakers collect your personal information. These underhanded apps either indefinitely record you or try to trick you into giving up your for passwords, which can then be used to hack into your accounts. 

To start a long recording, the app prompts the smart speaker to say an unpronounceable character, which results in silence. To most of us, that silence indicates that the app has stopped listening, but really the app is still running and collecting data. The malicious app plays this unpronounceable character repeatedly to produce silence while recording everything you say within range of the speaker. Amazon, Apple and Google let you control and delete your recordings, but recordings that are initiated by malicious apps may be sent directly to the app-makers, with no way to control what happens to your information.

Other malware-infested apps are more sophisticated and attempt to get very specific pieces of information from you: namely logins and passwords. These apps may play an error message — like Alexa might say “this skill is not available in your country” — and then lapse into silence so you think the app has closed closed. But then the app mimics a system message, asking for your username and password to install an update or something similar. 

We’re used to seeing this kind of phishing attempt via email, text messages, and malicious websites, but not from our smart speakers, so this new kind of malware could catch you off guard. The good news is that employing the standard computer security tips you'd follow to stay safe whenever you’re online can help you avoid smart speaker malware, too.

Here’s what to do to avoid getting into trouble with your smart speakers:

  • Only download apps from developers you trust. Apps from developers you’ve never heard of could be malicious, particularly if you see they have no comments or reviews.
  • Never tell your smart speaker your password aloud: no smart speaker will legitimately ask for your password by voice.
  • Pay attention to when your speaker is listening: most have some kind of light when they’re active, so you know it’s listening. You can also manually mute (or just unplug) your speaker when you don’t want to chance it picking up conversations. 

Malware is a potential problem for Amazon Alexa speakers and Google Assistant speakers (Apple's HomePod speakers restrict apps from this kind of behavior), but you should follow these precautions with any smart device you use. For now, Amazon and Google have removed malicious apps and tightened up security, but there's always the risk that more malware could pop up. 

[Image credit: Amazon]

Topics

Privacy, News, Music and Video, Home Audio, Speakers, Automation Systems, Blog


Discussion loading

gravatar

From Larry Gerard on October 24, 2019 :: 4:17 pm


Knowing which apps to avoid would be very helpful.

Reply

gravatar

From Peter J. Bertini on October 24, 2019 :: 4:26 pm


I JUST went through this trying to disable a remote Ring alarm function, because the Amazon Alexa unit ties in with Ring equipment because they are both Amazon products and designed to do so, but not disabling directly through the Ring app itself, but rather within the Amazon Alexa app itself I later learned and which DID in fact trigger Alexa to ask for my Password, and it was NOT a virus asking me.  It WAS programmed into the Amazon Alexa app.

I would suggest and say that it would behoove you to check with Amazon Alexa higher end support to both confirm this as well as to re-post to your readers, because as it currently stands, you have provided mis-information that could be very costly to users of the Alexa unit(s).

Reply

gravatar

From Elizabeth Harper on October 24, 2019 :: 5:24 pm


Ring and other home security apps may have you set up a PIN or passcode specific for voice control, but won’t ask you for your Amazon or Google account passwords by voice. You may have to enter your account passwords in the app when you set it up your device, but smart speaker apps shouldn’t ask for your account passwords by voice.

Reply

gravatar

From Peter J. Bertini on October 24, 2019 :: 5:37 pm


I concede.  But, that should still have been mentioned nonetheless.

I understand that it’s virtually impossible to cover all bases when it comes to this technological area, but still, it’s better that any type of corrections be noted as well, and especially with the sensitivities contained in these devices these days.

As for the readers, it’s now been said, here, and although not as good as having originally been mentioned in the primary article, it’s still here and better than nothing.

Still, a good job and I educate myself with your articles, so I thank you for that.

Reply

Our Latest Reviews

New Articles on Techlicious

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.