“OK Google” – Two words to describe the security trade-off on Google’s Pixel

This has a simple fix, disable the option during setup

google pixel phone
Credit: Maurizio Pesce

Using your voice to unlock a phone sounds cool, but for some security professionals that’s a security trade-off they’re unwilling to make.

On Tuesday, one researcher discovered the downside of the Trusted Voice feature on Google’s Pixel that could put devices at risk. The problem is, this feature is enabled by default, which is a change from previous releases.

Dave Kennedy, the founder of TrustedSec and Binary Defense Systems, as well as the author of the Social Engineering Toolkit, discovered that he could play a recording of his own voice and use it to unlock his Google Pixel.

He isn’t the first to discover this, but the topic is worth revisiting.

One of the concerns surrounding this feature is that someone who isn’t familiar with the phone’s settings could use their new Pixel for work. Any sensitive documents or data on the device could then be obtained with little to no effort on the part of an attacker.

It isn’t hard to record someone saying “OK Google” or possibly edit a recording of those two words together in order to unlock a device.

It’s worth noting that Trusted Voice has been around almost as long as “OK Google” has, as far as features on Android are concerned. However, not all devices support this function.

In other versions, the option was disabled by default, but that isn’t the case on new Pixel devices. Google does offer a warning during setup, but many consumers will overlook this in favor of finishing the process so they can use their device.

On the screen where Trusted Voice is enabled, Google says the feature “can be less secure.”

“A similar voice or a recording of your voice could unlock your phone. But after one attempt, you must unlock your phone another way,” the warning states.

The one-and-done aspect of this login attempt is a decent protection scheme, but again - it doesn’t stop someone from simply recording a person using this feature as normal, and playing it back later.

Kennedy posted a video showing Trusted Voice in action.



If this feature is a concern, the fix is rather basic.

Go into settings (within the Google App, press the menu icon at the top left of the screen). From there, go to Voice, and disable “OK Google” detection. If Trusted Voice is disabled, the user will be prompted to unlock the device each time “OK Google” is used with the screen lock enabled.

Again, this isn’t a massive vulnerability, or earth shattering security problem. It’s a trade-off between security and convenience. But it’s a feature that administrators should be aware of as new Android devices enter the workplace.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.