Stories

Researchers find new way for Alexa and Google Voice to phish users

Photo: Olly Curtis/Future via Getty Images

A newly discovered variation of an old technique might make it easier for hackers to convince inattentive users of Google Voice and Alexa smart speakers to cough up their passwords.

The big picture: The security flaw was discovered by SRLabs and was first reported by ZDNet, but it has not been witnessed in use by actual hackers. Google has already announced closing the flaw.

What's happening: With smart speakers, it's tough to tell if an application is still open after it stops speaking. Researchers have, over the years, discovered several ways to force smart speakers to stop talking for a few minutes — making it appear as though an app has closed — before sending a message requesting a user to reenter their password. At this point, it seems like it's Google and not an app asking for the info.

  • In the SRLabs case, adding the "�" character to various commands allowed programmers to keep an app open much longer than it should be.
  • Smart speakers frequently have a light or other notification to show that an app is still running. That's useful if a user thinks to look for it and is nearby, but easy to overlook during a hectic day.