Germany’s Security Research Labs released a statement Sunday confirming that it was able to successfully develop eight voice apps - called “skills” on Alexa and “actions” on Google Home - that posed as astrology and random number generator apps. The programs were able to listen to people's conversations through these speaker devices. The apps, which bypassed Amazon and Google’s security checkpoints for third-party apps, also tricked users into inputting their passwords by giving them fake notifications about software updates.
"Customer trust is important to us, and we conduct security reviews as part of the skill certification process," an Amazon spokesperson told Business Insider following Sunday’s press release. "We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified. It's also important that customers know we provide automatic security updates for our devices, and will never ask them to share their password."
A Google spokesperson also confirmed to Business Insider that it is taking steps to prevent such security lapses from being exploited again.
"All Actions on Google are required to follow our developer policies, and we prohibit and remove any Action that violates these policies. We have review processes to detect the type of behavior described in this report, and we removed the Actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future," the spokesperson confirmed.
This is not the first time that security loopholes have been identified in popular virtual assistant devices. Last year, security researchers identified an error allowing a malicious app to spy on people’s conversations through an Alexa even when the app wasn’t in use.
