A team of security researchers at Checkmarx have created a “skill” that can turn Amazon’s virtual assistant Alexa into an eavesdropping device. It abuses the built-in request capabilities of the device to record your conversation indefinitely and send the transcripts to any third party website or Amazon.
Alexa has been designed to detect sound at all times to catch any voice command given by the user. It is supposed to exchange data with Amazon servers to process commands only after hearing the wake word which is most commonly ‘Alexa.’
Once Alexa responds to the command, it is supposed to either ask for next command or end the session. However, the researchers were able to find a workaround for this system.
They created a harmless looking calculator skill for solving math problems which includes a hidden malicious task. Upon initiating a session with this app, a second session gets created that keeps on listening and recording sounds without informing the user that the microphone is still active.
It can do so for an indefinite period, and skill can also instruct the device to transcribe any dialogue that it picks up. This data can be sent back to the makers of the skill or any other third-party website.
Quite scary, right? But there is one giveaway – the blue light on the Echo device remains active and lits up whenever Alexa is listening. Unaware victims may not notice it, but it might raise suspicions.
However, Checkmarx has already reported the vulnerability which Amazon has patched now. The company has rolled out an Alexa update that can detect such sessions and takes action to prevent them further.