Most modern homes now rely on smart products that can be controlled by devices such as the Amazon Echo and Google Home. These smart-enabled gadgets interact with users via voice commands with the help of virtual assistants unique to each platform. However, it appears that researchers have stumbled upon a common workaround that can allow hackers to spy on unsuspecting users. This exploit allegedly keeps malicious apps running in the background even if it seems like the user deactivated the session.

This reminds consumers to always be vigilant and never share confidential information over the internet. Moreover, privacy is also at risk as those with ill intent can keep the microphones active for a longer period of time and listen in to conversations. According to an article from Bleeping Computer, this is possible due to how the smart speakers work. Developers can tweak the codes to bypass deactivation even after trigger phrase has been invoked.

I think it would be fun to manage calendars for cats too. “Alexa, remind me to take a fifth nap today.” pic.twitter.com/EUDVU1czFR

— Alexa (@alexa99) October 17, 2019

This was reportedly demonstrated by SRLabs after it affixed a Unicode character sequence right after the closing message of the app. From the user's end, it will appear that the Alexa or Google Home smart speaker already terminated the action or skill after the confirmation playback. Meanwhile, the string of code that follows cannot be pronounced by the system and the speaker will stay silent.

If you use Google Home and/or Alexa AND you’re into checking your horoscope...you might want to change your passwords. pic.twitter.com/naAxtHxE4p

— Jsph Flrs (@jsphflrs) October 21, 2019

This means people can still listen in while the machine attempts to read out the code until the end. To extend this, hackers just need to add more Unicode character sequences, which can practically be whatever length they require. So far the only workaround for this threat is for the manufacturers to extensively review each app submitted for approval.

In addition to spying on Alexa and Google Home users, hackers can likewise include a phishing message in between the codes. Although most people are aware that Google or Amazon will never ask for passwords this way, there is still a possibility that someone can mistake it for a genuine request. Whatever the user says thereafter will be recorded as text and forwarded to the developer's servers.

The German research group is asking Amazon and Google to look into removing the Unicode characters the smart speakers cannot read out in the first place.

Google Home smart speaker
Google Home is a smart Bluetooth speaker with personal assistant. It goes on sale on 6 April costing £129 IBTimes UK
Google Amazon