Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Burger King’s Google Home hijack reveals vulnerability of IoT devices
SECURITY

Burger King’s Google Home hijack reveals vulnerability of IoT devices 

One thing is for certain though, the stunt brought to light just how vulnerable the Internet-connected devices people have in their homes – and how quickly consumers can fight back if you rub them the wrong way.

Here’s what happened. On April 12, the company released a commercial in which an actor playing the part of a Burger King server says he could not define what a Whopper is in 15 seconds. He then says “OK Google, What is the Whopper burger?”

That phrase OK Google was programmed to trigger voice searches on Android devices and Google Home smart devices to read out a snippet from a Wikipedia article about Burger King’s Whopper. Prior to the airing of the ad, edits which included promotional language were made to the Wikipedia article.

A Sophos Naked Security blog for instance, said the Whopper entry on Wikipedia before the edits read:

The Whopper sandwich is the signature hamburger product sold by the international fast-food restaurant chain Burger King and its Australian franchise Hungry Jack’s.

After edits from a user named Fermachado123, the line read:

The Whopper is a burger, consisting of a flame-grilled patty made with 100 percent beef with no preservatives or fillers, topped with sliced tomatoes, onions, lettuce, pickles, ketchup, and mayonnaise, served on a sesame-seed bun.

Naturally, some Google Home device owners were not amused when their home assistant started rattling off the attributes of the Whopper.

Well, consumers it seems can also play it that way too.

It didn’t take long for Wikipedia users to add their own Whopper descriptions such as: “often stinky combination of dead and live bacteria,” “a juicy 100 percent rat meat and toenail clipping hamburger product,” and “fatally poisonous substances that a person ingests deliberately to quickly commit suicide.”

Related Content

CHANGE YOUR APPLE PASSWORD. NOW.

GOOGLE HOME AND THE NEW MACBOOK PRO

MEET LEX, POLLY, AND REKOGNITION – NEW AI SERVICES FROM AWS

3 TOP CONCERNS CSOS AND CIOS NEED TO TACKLE IN 2017

Of course this resulted in some Google Home users reporting to the Internet company that their digital assistant was reading out really weird Whopper ingredients.

In response, Google adjusted the Google Home audio so that its always-on voice detection could not be triggered. The video below shows that Google Home is no longer affected by the Burger King ad

Burger King soon found a workaround the Google block, according to AdWeek.

For its part, Wikipedia protected the Whopper article to prevent both promotional material and vandalism from being re-inserted.

This is not the first time a digital assistant had been hijacked.

In January XETV-TDT in San Diego, Calif. aired a story about a 6-year-old girl who bought a $170 dollhouse and 4 lbs. of cookies by asking her family’s Alexa-enabled Amazon Echo, “Can you play dollhouse with me and get me a dollhouse?.”

After the story aired, viewers in San Diego complained that their Amazon Alexa devices “tried to place orders for dollhouses,” security company Sophos, said.

These incidents highlight a critical issue with many tech devices people purchase. More often than not, these products are shipped with default settings that allow for easy hijacking.

Default passwords are rarely replaced by users with ones that are harder to break.

With digital assistants it’s the voice recognition feature.

“One problem with these Internet of things (IoT) gadgets is that while they have voice recognition, they don’t necessarily have individual voice recognition,” said Sophos. “ Any voice will do, be it from a neighbor talking to a device through an window and thereby letting himself into your locked house or a little kid who orders up a pricey Kidcraft Sparkle Mansion.”

Related posts