Google Home versus Amazon Echo: Vulnerability of Hacking
Over the past few years, the popularity of smart speakers has been on the rise with Amazon Echo and Google Home leading the way while Apple’s Homepod is coming in the third position regarding prevalence. Unfortunately, they have raised eyebrows of both consumers and researchers as well as security experts who in the past week realized that the smart speakers could be hacked. When hacked, the hacker can control the speaker’s voice assistants with methods that include but not limited to undetectable audio commands and eavesdropping software as well as targeting devices that are connected on the speaker’s network.
Both companies, Amazon and Google claim that they have addressed and solved the many of the vulnerabilities already, but it is impossible not to wonder the likelihood of your smart speaker to get hacked by a bad guy. This article is going to compare the two major products: Google Home and Amazon Echo and check for their vulnerability to hacking.
Google Home is a brand of smart speakers developed by Google. The first brand of Google Home was launched in May 2016 and finally released in the US in November the same year. The release of the product globally was done between 2017 and 2018.
Google Home was developed with a high-end feature that enables the user to speak voice commands that interact with service offered by Google through Google’s assistant software known as Google Assistant. The engineers integrated both the in-house and third-party services into Google Home allowing the user to not only listen to music but also control playback of videos and receive news updates entirely by voice. Nevertheless, Google Home supports home automation allowing users to control smart home appliances using their voice. Besides, there has been continuous updates on Google Home since its manufacture to address the current needs of society.
Vulnerability in Google Home
In spite of the assurance given by Google that its product is secure and almost impossible to hack, one hacker, Gamblin is with a contrary opinion. Gamblin gave a detailed revelation on some limited but potentially harmful weaknesses in the Google Home platform. According to Gamblin, unless Google fixes the flaw, one can easily take control of Google Home hub remotely using an unsecured application program interface (API).
According to Google, however, the API has been put there the sole purpose of setting up the device and not exposing user information to potential hackers. Nonetheless, its primary function is to communicate with other devices. Gamblin argues that Google is very much aware of this flaw in their product. Furthermore, he says “I am exceptionally stunned by how poor the general security of these gadgets are, considerably more so when you see that these endpoints have been known for a considerable length of time.” He continues to write, “I more often than not would have worked straightforwardly with Google to report these issues on the off chance that they had not recently unveiled, but rather because of the sheer measure of earlier work on the web and submitted code in their codebase, it is clear they know.’’
Nonetheless, the hack is not all-inclusive to commands for the Google Home hub, but it is a security threat. Having the controls as detailed by Gamblin can enable the hacker not only to restart the entire Home hub but also delete the configured wireless network as well as disable notifications such as those connected to locks and alarms.
After Gamblin claims, Android Authority reached out to Google who in turn said that all their devices are designed with user security and privacy. Google also claimed that they use a hardware-protected boot mechanism that ensures that only Google-authenticated codes are used on a particular device. Also, Google claimed that any communication with user information is authenticated and encrypted.
More so, Google said that the recent claims about the security on Google Home is inaccurate and should be discredited. It noted that the APIs in question are used by the mobile application to configure the device and can only be accessible when the apps and the device share the same Wi-Fi. “Despite all, there is no evidence to back-up the claims that our device is at risk of being hacked.”
In November 2018, Jeff Harwood, CSA (Cybersecurity Analyst) DMLABS, Tennessee said that Google Home hub was hacked 31 times using 16 different processes. On the other hand, Google Assistant was hacked 51 times using 33 methods. He further said that most of the rush to market electronics could be hijacked using schematic hacking targeting a variety of modes.
More so, a researcher working for Tripwire Inc. pointed out the loopholes in Google’s system that could facilitate the hacking of Google Home hub by cross-checking all networks within the target location. By cross-checking, the hacker could be in a position to pinpoint the exact position of the target which will ultimately expose the device user.
Unlike Amazon Echo, it is not mandatory for hackers to access other Google devices to hack Google Hub. It is quite easy to hijack the Google Hub home. All that an attacker need is to obtain the same website that the target is viewing using either a smartphone or a computer. Once this is done, a particular code is used to scan to identify the target.
Young Craig told KrebOnSecurity that an attacker could launch the attack remotely on condition that the intended victim can access a particular link with a malware sharing the same network with the attacker. Similar to Amazon Echo, it is impossible for the hacker to triangulate the exact position of the user immediately after gaining access. Therefore, the attacker has to wait for a moment to get the precise location. Usually, hackers send the malware as an advertisement or a link to twitter or any other social media platform.
Young Craig said that besides the privacy-related issues surrounding Chromecast or Google Home for being associated with leaking the exact physical location of the user, the malware installed by the attackers could help them to make a phishing attack look realistic. He further warned that some of the scams similar to those fake FBI and IRS threats of exposing compromising photos to both family and friends could contribute to the abuse of Google’s location data.
Similar to the Google Home hub, the Echo is a voice-activated speaker with Bluetooth and Wi-Fi connectivity. Currently, Amazon Echo is joined by many other devices in the Echo family, all of which have the Alexa voice assistant. Alexa is an awake word that is used for Amazon Echo. It is a digital voice that responds to your spoken demands from alarm setting to searching the web as well as playing music.
Amazon Echo Vulnerability
The moment smart speakers such as the Echo started to show up in homes everywhere throughout the globe, they have been considered to be a practical objective by the security network. However, that risk has remained to a great extent speculative: nobody has been able to get malware on the Echo device. Nonetheless, there is no confirmation-of-idea assaults on the gadgets have stayed unfeasible, best case scenario.
Reports indicate that some Chinese researchers have invested a very long time in attempting to come up with another system that can be used hack the Echo. Despite their breakthrough, hacking Amazon Echo is as yet an out and out takeover remotely. Be that as it may, this is the closest one has ever come hijacking this device.
The Chinese researchers that have worked to try and hack the Amazon Echo plan to present their technique during the Defcon security meeting. These researchers will present their finding that combines numerous bugs in Amazon’s Echo to hack the device and use its amplifiers to send out audio signals to the individual that is remotely controlling the gadget while at the same time offering no sign to the client that the device has been compromised.
However, the researchers have requested the Echo owners not to panic because they made Amazon Inc. of their discoveries and the organization put in place extreme security measure immediately. However, even before the hacking, Amazon’s security was hard to hack for the attack needed an individual with serious hands-on experience with working with particular hardware and equipment as well as proximity to the gadget’s Wi-Fi. But the exertion appeared by the researchers opens up new possibilities of how an attack can be made to a high-esteem target.
It is nearly impossible to hack the Amazon Echo gadget for it took the researchers several months of research to come close to hijacking the device successfully and listen in remotely. In case the attackers succeed in hacking the Echo device, they will acquire full control of the device for listening stealthily and send the voice information through the system to the hacker.
The researchers’ attack, however effectively fixed, shows how programmers can integrate numerous tricks to think of a multistep infiltration technique that will be able to hack even the most secured gadget like Echo. The attackers started their hacking process by dismantling their Echo and taking out some chips and use in building a firmware responsible for the attack. At that point, they re-bind the chip to the device’s motherboard. After that, they will use the custom made Echo as a device for hacking other Echoes with the assistance of a progression of web vulnerabilities which incorporate cross-webpage scripting and URL redirection just as HTTPS minimize the attacks.
If the attackers manage to take their custom made doctored onto the same network as the target Echo, then they can compromise the product part of Amazon’s speakers that the gadget utilizes in communicating with the other devices utilizing a comparative framework. That daemon had a backdoor that attackers discovered that they could take advantage of using their custom made Echo increase their full authority over the objective speaker, including the capacity to choose what the Echo will play. Playing anything the attackers choose is not as worrying as when the attackers quietly record and transmit to another attacker that is far away.
The prerequisite that one must be in the same network as the attacker speaks to a specified constraint to the attackers. This restriction implies that even after succeeding in hacking the Echo, an attacker must find a way of also gaining access to the victim’s network either using the password provided or also hacking the system or else fail in hijacking Amazon Echo altogether. However, analysts contend that the attacker can drive the secret word and influence the unfortunate victim to introduce the adjusted Echo themselves and connecting to their Wi-Fi unwittingly. Then again, the Echo attack can rapidly occur in conditions with a shared network such as schools and other public places.
When the researchers reached Amazon concerning their breakthrough in hijacking their Echo gadget, the company responded asking their customers to do nothing because their devices got an update automatically with the security fixes. The spokesperson also wrote that “to pull such a hack on our Echo, that particular individual must have gotten so close to the gadget and got the opportunity to change the device’s hardware.”
Amazon’s spokesperson said that Amazon takes customer security seriously. He further added that they have a dedicated team to ensure the safety and security of every product. Amazon has taken measures to ensure that Echo is secure and this includes disallowing third-party application installed on the device and rigorous security reviews as well as a secure software development requirements on the device. Besides, Amazon’s security has a secure software development requirement and encrypts their communication between Echo, the Alexa and Amazon servers.’’
A previous individual from the NSA’s world-class hacking group, Jake William says that it is tough to hack a gadget like Echo remotely. He also points out that the devices primarily acknowledge just voice info and cloud correspondence with the servers that Amazon use through a coded system which restricts the attackers. Therefore, it was smart for the Tencent scientists to utilize Amazon’s Echo-to-Echo correspondence.
In conclusion, given the security features that Amazon has put in place compared to what Google Home has, I would say that Google Home is more vulnerable to hacking than Amazon Echo. Amazon has more sophisticated features and addresses the privacy concerns seriously to the extent that one has to doctor an Echo device to communicate and hack another Amazon Echo device. On the other hand, one needs to access the website the victim is using either with a tweet or an advertisement to hijack Google Home devices.