Security Alert: Don't Unlock Your Pixel with 'OK Google'

What do you call a security vulnerability that a phone acknowledges during setup? This isn’t an ancient riddle; it’s a real concern that security experts have discovered in Google’s newly released Pixel phone.

By activating the "OK Google" Trusted Voice feature to unlock the Pixel, consumers could be setting themselves up for a cyberattack. On the other hand, the vulnerability is mild, and the phone even warns you during setup, so consumers will have to use their own discretion on this one.

Steve Ragan wrote about the flaw at the Salted Hash security news blog, reminding users that the Trusted Voice flaw is not a new one. Here’s how it works: the Pixel, like all Android phones, offers a lock screen. You can use a password, a PIN, a pattern or your voice to unlock your mobile device. Voice unlocks are not as widely available as the other three, but the Pixel is hardly the first phone to make use of it.

MORE: What to Do After a Data Breach

The problems here are twofold. First, unlocking the Pixel with your voice means that someone else can accomplish the same thing with a recording. While it would admittedly take a bit of social engineering to trick someone into saying "OK" and "Google," editing those two clips together into a short audio file would be trivial. A truly savvy user could even approximate a person’s voice with digital trickery. Simply playing this recording in front of the Pixel would bypass a user’s voice lock.

Second — and this is arguably the more important risk — Trusted Voice comes enabled by default in the Pixel. Previous Android handsets that offered this functionality hid it away within the Settings and let users turn it on or off at their own discretion. This time around, Trusted Voice is a prominent part of the phone’s setup process. While users can indeed disable it during setup, Ragan theorizes that most, in their eagerness to simply get the phone up and running, won’t read any caveats carefully and simply activate the feature.

The good news is that if you activated Trusted Voice on your Pixel and would rather disable it, the fix is incredibly simple. Simply access the Settings menu, select Voice and disable "OK Google" detection. Now, you’ll have to unlock your phone with a PIN or password; more cumbersome, perhaps, but also more secure.

Google even mentions during the setup process that Trusted Voice is "less secure" than other alternatives. You can’t say the company didn’t warn you (although you can say that it didn’t warn you very well).

On the other hand, for this vulnerability to yield any real fruit for an attacker, a lot of disparate variables would have to fall into place. An attacker would have to know you personally, have physical access to your phone, record your voice with high-quality equipment and make you say two specific (admittedly somewhat common) words. As long as you’re careful with your phone and have no dire enemies in your personal life, you can probably leave Trusted Voice on without any ill effect.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.