With one third of U.S. households owning a smart speaker, according to the Consumer Technology Association, they are fast becoming must-haves for your smart home. Unfortunately all of that convenience comes with a potential cost. Researchers have discovered that malicious apps can make your smart speakers collect your personal information. These underhanded apps either indefinitely record you or try to trick you into giving up your for passwords, which can then be used to hack into your accounts.
To start a long recording, the app prompts the smart speaker to say an unpronounceable character, which results in silence. To most of us, that silence indicates that the app has stopped listening, but really the app is still running and collecting data. The malicious app plays this unpronounceable character repeatedly to produce silence while recording everything you say within range of the speaker. Amazon, Apple and Google let you control and delete your recordings, but recordings that are initiated by malicious apps may be sent directly to the app-makers, with no way to control what happens to your information.
Other malware-infested apps are more sophisticated and attempt to get very specific pieces of information from you: namely logins and passwords. These apps may play an error message — like Alexa might say “this skill is not available in your country” — and then lapse into silence so you think the app has closed closed. But then the app mimics a system message, asking for your username and password to install an update or something similar.
We’re used to seeing this kind of phishing attempt via email, text messages, and malicious websites, but not from our smart speakers, so this new kind of malware could catch you off guard. The good news is that employing the standard computer security tips you'd follow to stay safe whenever you’re online can help you avoid smart speaker malware, too.
Here’s what to do to avoid getting into trouble with your smart speakers:
- Only download apps from developers you trust. Apps from developers you’ve never heard of could be malicious, particularly if you see they have no comments or reviews.
- Never tell your smart speaker your password aloud: no smart speaker will legitimately ask for your password by voice.
- Pay attention to when your speaker is listening: most have some kind of light when they’re active, so you know it’s listening. You can also manually mute (or just unplug) your speaker when you don’t want to chance it picking up conversations.
Malware is a potential problem for Amazon Alexa speakers and Google Assistant speakers (Apple's HomePod speakers restrict apps from this kind of behavior), but you should follow these precautions with any smart device you use. For now, Amazon and Google have removed malicious apps and tightened up security, but there's always the risk that more malware could pop up.
[Image credit: Amazon]
Gloss