Amazon Alexa Has Got Some Serious Skills—Spying On Users!
Amazon also allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap.
However, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven 'skill' for Alexa that forces device to indefinitely record surround voice to secretly eavesdrop on users’ conversations and then also sends the complete transcripts to a third-party website.
Disguised as a simple calculator for solving maths problems, the malicious skill, if installed, immediately gets activated in the background after a user says "Alexa, open calculator."
By design, Alexa should either end a session or ask the user for another command to keep the session open. However, the hack could allow attackers to keep the second session active for spying on users while ending the first when user interaction get overs.
Luckily, you can still spot the spy red handed if you notice the blue light on your Echo device activated for a longer period, especially when you are not chit-chatting with it.
Checkmarx reported the issue to Amazon, and the company has already addressed the problem by regularly scanning for malicious skills that "silent prompts or that listen for unusual lengths of time" and kicking them out of their official store.
It's not the first Alexa hack demonstrated by the researchers. Last year, a separate group of researchers at MWR InfoSecurity showed how hackers could turn some models of Amazon Echo into the covert listening device.
Amazon also allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap.
However, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven 'skill' for Alexa that forces device to indefinitely record surround voice to secretly eavesdrop on users’ conversations and then also sends the complete transcripts to a third-party website.
Disguised as a simple calculator for solving maths problems, the malicious skill, if installed, immediately gets activated in the background after a user says "Alexa, open calculator."
"The calculator skill is initialized, and the API\Lambda-function that's associated with the skill receives a launch request as an input," researchers said in its report.In a video demonstration, researchers show that when a user opens up a session with the calculator app (in the background), it also creates a second session without verbally indicating the user that the microphone is still active.
By design, Alexa should either end a session or ask the user for another command to keep the session open. However, the hack could allow attackers to keep the second session active for spying on users while ending the first when user interaction get overs.
Luckily, you can still spot the spy red handed if you notice the blue light on your Echo device activated for a longer period, especially when you are not chit-chatting with it.
Checkmarx reported the issue to Amazon, and the company has already addressed the problem by regularly scanning for malicious skills that "silent prompts or that listen for unusual lengths of time" and kicking them out of their official store.
It's not the first Alexa hack demonstrated by the researchers. Last year, a separate group of researchers at MWR InfoSecurity showed how hackers could turn some models of Amazon Echo into the covert listening device.
Comments