Open Access Open Access  Restricted Access Subscription Access

Demonstration of Privacy Stealing Attack via Smart Speakers

Jian-Xian Li,
Pei-Jing Sun,
Jieh-Chian Wu,


Recently, the product of smart speakers becomes mature and popular. Since the voice assistant of the smart speaker is always listening to users’ commands to issue services, it leads to security vulnerabilities. We find that the login password for root access to the UART ports of the XIAOMI smart speakers is either not configured or configured by certain pattern which can be accessed by using system commands. After login as root, we can inject malware into XIAOMI smart speakers so that we can eavesdrop on conversations between user and voice assistant to perform privacy stealing attack, even when users turn off the microphone. We demonstrate three attack scenarios including eavesdropping, spear phishing, and passive phishing. Finally, we propose mitigations to such attacks for both manufacturers and user.

Citation Format:
Jian-Xian Li, Pei-Jing Sun, Jieh-Chian Wu, "Demonstration of Privacy Stealing Attack via Smart Speakers," Communications of the CCISA, vol. 26, no. 3 , pp. 1-19, Aug. 2020.

Full Text:



  • There are currently no refbacks.

Published by Chinese Cryptology and Information Security Association (CCISA), Taiwan, R.O.C
CCCISA Editorial Office, No.1, Sec. 1, Shennong Rd., Yilan City, Yilan County 260, Taiwan (R.O.C.)