Amazon Echo vulnerability allowed hackers to turn Alexa into a spy

A vulnerability in Amazon’s voice assistant Alexa allowed hackers to turn the digital assistant into a spy, researchers say.

Security experts at Checkmarx made it their mission to corrupt the virtual helper, and succeeded. They managed to get it to listen to and record users for extended periods of time, and send a transcription of their conversations across to a hacker.

Related: Google Home vs Amazon Echo

Though Alexa is technically always-listening, it’s only supposed to spring into action and start recording users and analysing their speech after they call out its name. Furthermore, those recordings are supposed to be short − long enough to capture a request and nothing more − in order to protect users’ privacy.

“First, they needed to find a way to keep the Alexa recording session alive after the user received a response from the benign part of the skill, and do so without providing any audial indication to disclose that the device was still listening,” Checkmarx wrote in a blog post.

“This was not completely straightforward, given the Echo device needs to be prompted by users between cycles, otherwise the session ends after each response to protect users’ privacy.”

It added: “Second, they needed to find a way to accurately transcribe the voice received by the skill application. Skills perform well when they are configured to accept a specific sentence format with placeholders (slots) for closed lists of values, such as colors, places or movie names (e.g. What is the weather in {City}?).

“Since they didn’t want to limit ourselves to specific conversations, we set out to find a way for the Echo to accept any text.”

However, as the video above shows, they didn’t manage to find a way to switch off the Echo’s blue light ring, which indicates that Alexa is listening. It’s a big giveaway that something strange is going on.

Still, it’s a concerning exploit, and Checkmarx says it worked with Amazon to prevent it from being used maliciously. The company says Amazon responded by introducing three new protective measures:

  • Setting specific criteria to identify (and reject if necessary) eavesdropping skills during certification
  • Detecting empty-reprompts and taking appropriate actions
  • Detecting longer-than-usual sessions and taking appropriate actions

How do you feel about digital assistants like Alexa and Google Assistant? Share your thoughts (and fears) with us @TrustedReviews.

Privacy Settings