Amazon quickly puts a stop to an issue in Alexa’s skill set after researchers for Checkmarx reported that her skill set could go as far as being able to listen in on users all the time, as opposed to when summoned.
According to a research paper by Checkmarx, Alexa skills can be developed in a variety of languages via the Alexa skill set. This skill set integrates with the AWS-Lambda function. The personal assistant device is always listening for the voice of the user so that it can activate when that voice is recognised.
Alexa Keeps on Listening
Under normal circumstances, users receive an audio indication after tasks have been completed to inform them that Alexa has gone to sleep. Doing so ensures the use that Alexa is no longer recording. However, the researchers were able to augment Alexa’s skills so that she was consistently recording.
“We went through the whole process of how Alexa communicates with the user and tried to take the view of the hacker and go step by step to see how we could leverage something that might seem benign, that might not seem risky but make it a risk,” Amit Ashbel, cybersecurity evangelist at Checkmarx, told ZDNet.
A Calculated Hideaway
The researchers chose the seemingly benign calculate skill as the place to hide the malicious task. Any user who activated the app would then be unaware that they had downloaded the eavesdropper skill. Once Alexa was finished solving the math problems, she remained listening despite the user being completely unaware.
As the microphone function remained activated, the device both listening to and transcribed any information and conversation that was overheard by Alexa. “You think the session is over, but actually it is continuing all the time, recording your words and sending your transcription to the hacker. There’s no limit to the length of the session, the number of words or sentences, it just keeps on going until you turn it off,” said Erez Yalon, manager of application security research at Checkmarx.
Not so Successful
However, there is a flaw in the attack. The researchers noted that when the device is still active, even without being told that it has not gone offline, Alexa remained lit up. This indicated that it was still listening.
After Checkmarx disclosed their research to Amazon, the problem was quickly resolved so that silent cycles are no longer permissible. “It now also detects longer than usual sessions and warns users, so maybe they’ve mitigated future attacks,” Yalon added.