Security vulnerabilities in personal voice assistant technology would have made it possible for hackers to take photos and videos of users, or track their location without a victims’ knowledge, according to new findings.
Flaws in several Android devices opened holes in the Google Assistant and Samsung’s Bixby, according to research published Tuesday by the Israeli security vendor Checkmarx. The issues in Google’s Pixel brand of phones and Samsung’s Galaxy series could have allowed outsiders to record two-way conversations, silence the shutter on a phone’s camera and collect GPS location based on a device’s metadata.
Both Google and Samsung say the patch has been available since July in the Play Store.
The vulnerabilities show that as new technologies promise more convenience, they can also create new channels that attackers can leverage to infiltrate unwitting users’ devices, or access their information. Researchers proved earlier this month they could intercept Wi-Fi usernames and passwords from customers who installed Amazon’s Ring doorbells on their homes.
In this case, Checkmarx researchers determined Samsung’s Bixby and the Google Assistant could carry out these tasks because, as voice assistants, they don’t need to ask for permission to capture images or record video. But a hole in the programs made it possible for other, less-trusted apps to abuse the assistants. A seemingly innocuous app could pretend to send a voice request to the Google Assistant or Samsung Bixby asking to capture images, then start filming without any obvious notification to the device owner.
Researchers developed a proof-of-concept weather application to ask the voice assistants for that access. They did not point to any examples of hackers carrying out this attack in the real world.
“The malicious app we designed for the demonstration was nothing more than a mockup weather app that could have been malicious by design,” the researchers explained. “When the client starts the app, it essentially creates a persistent connection back to the [command and control] server and waits for commands and instructions from the attacker, who is operating the C&C server from anywhere in the world. Even closing the app does not terminate the persistent connection.”