Alexa is Amazon’s cloud-based voice assistant for which the security researchers have recently developed a new malicious ‘skill’ that can turn your Amazon Echo into a full-fledged spying device.
Amazon Echo is an Alexa enabled smart home speaker which you control with your voice. It allows you to get your things done by using your voice, for activities like playing music, setting alarms, and answering your questions. This device doesn’t remain activated all the time but will be in sleep mode until the user says, “Alexa,” and by default, it ends a session after some duration.
Amazon permits the developers to build custom ‘skills,’ applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap.
Checkmarx is a cybersecurity firm whose security researchers have developed a proof-of-concept voice-driven ‘skill’ for Alexa that forces the device to record the surrounding voice that includes conversations of people and then also sends the complete transcripts to a third-party website.
This malicious skill is disguised as a simple calculator for solving maths problems. After it is installed and the user opens it and says “Alexa, open calculator, it gets activated instantly in the background.
The researchers reported that the calculator skill is initialized, and the API\Lambda-function that’s associated with the skill receives a launch request as an input. They also showed that when a user opens up a session with the calculator app, a second session is also created automatically without informing the user that the microphone is still active.
As per the design, Alexa should either end a session or ask the user for another command to keep the session open. This hack also allows the attackers to keep the second session active for spying on users while ending the first when user interaction get overs.
But fortunately you can still find the spy at once if you notice the blue light on your Echo device activated for a longer period, even when you are not chatting with it.
Checkmarx has reported the issue to Amazon, and the company has already addressed the problem by regularly scanning for malicious skills and had removed them out of their official store.
This is not the first Alexa hack reported. Last year, a group of researchers at MWR InfoSecurity showed how hackers could turn some models of Amazon Echo into the covert listening device.