Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
AI Privacy Security

Researchers Hacked Amazon's Alexa To Spy On Users, Again (threatpost.com) 43

New submitter lod123 writes: A malicious proof-of-concept Amazon Echo Skill shows how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices -- and automatically transcribe every word said. Checkmarx researchers told Threatpost that they created a proof-of-concept Alexa Skill that abuses the virtual assistant's built-in request capabilities. The rogue Skill begins with the initiation of an Alexa voice-command session that fails to terminate (stop listening) after the command is given. Next, any recorded audio is transcribed (if voices are captured) and a text transcript is sent to a hacker. Checkmarx said it brought its proof-of-concept attack to Amazon's attention and that the company fixed a coding flaw that allowed the rogue Skill to capture prolonged audio on April 10.
This discussion has been archived. No new comments can be posted.

Researchers Hacked Amazon's Alexa To Spy On Users, Again

Comments Filter:
  • by Anonymous Coward on Wednesday April 25, 2018 @02:43PM (#56501545)
    No hacking possible. It was the only way to have this nifty toy and be safe.
  • by Anonymous Coward

    If you invite a burglar in your house and open the door, you should not blame the lock maker.

    • Wish I had mod points for this comment. You nail it pretty nicely, anyone concerned about Alexa security (which I believe everyone SHOULD be) is best not bringing one into their home.
    • by Calydor ( 739835 )

      Conversely, if a burglar dresses up as a police officer, knocks on your door, tells you there's an escaped prisoner on the loose in your neighborhood and asks to check the house and garage to be sure he's not hiding there, then jams the lock in the garage when you aren't looking, do you blame the lock maker? Because that's what these kinds of apps will look like.

      • by dfghjk ( 711126 )

        A garage lock serves a useful purpose, you sacrifice nothing by omitting Alexa from your life.

  • We can access and turn on all listening (by which we can detect what you type, how you walk, who you are) on all smartphones, all smart TVs, all smart video boxes, pretty much anything with a microphone and/or a camera, no matter how you switch it off.

    Even masking will only reduce the vibration, by the way, we can still hear you quite well. It does obscure the camera, however.

    And it's uploaded to the cloud without you realizing it. Even when you "turn it off".

    About the only way to turn off the microphones i

    • What if I pull the battery?

      • by hawguy ( 1600213 )

        What if I pull the battery?

        Your TV has a battery that you can pull? Mine is plugged in all the time, and if not, then the hidden supercapacitor to run the surveillance when it's unplugged.

        • Mine is plugged in all the time and I know it's not doing anything when it shouldn't be because if it were I'd see the power usage.
          The most offensive thing it does when "off" is allow wakeup over the LAN. This is a user-controlled option.

    • by hawguy ( 1600213 )

      >Even masking will only reduce the vibration, by the way, we can still hear you quite well. It does obscure the camera, however

      Only the camera you can see, once you reach a certain level of paranoia, you realize that there are other, hidden, cameras in your devices.

    • And it's uploaded to the cloud without you realizing it. Even when you "turn it off".

      Since Alexa communicates over your wifi (as do Google... whatevers), can't you check to see if it's transmitting when it's supposed to be off?

  • I wonder if I can say "Alexa, are you up to date on your patches?" It turns out "she" didn't know what I was talking about.
  • lod123 [slashdot.org] has been spamming for a month straight for threatpost.
  • No they didn't (Score:4, Insightful)

    by bistromath007 ( 1253428 ) on Wednesday April 25, 2018 @03:34PM (#56501981)
    This is like claiming you've hacked a glass to be able to hold water.
  • Dear Editors,

    Please save us some trouble and just start including this [xkcd.com] in every Alexa/Siri story posted here.

    Thanks and regards,

    --Z.

  • This hack isn't very well hidden:

    One big issue Checkmarx faced is that on Echo devices a shining blue ring reveals when Alexa listens

    I'd be more worried about it if they could listen without the indicator light on.

    • by tlhIngan ( 30335 )

      This hack isn't very well hidden:

      One big issue Checkmarx faced is that on Echo devices a shining blue ring reveals when Alexa listens

      I'd be more worried about it if they could listen without the indicator light on.

      Question is, 1) how noticeable is the blue ring, and 2) would a regular user even know?

      The first may be hard to see, the second is basically would a user even know what it meant if they saw the blue ring? Or would they thought someone merely turned the ring light on.

      Hell, that could be the name of

      • by hawguy ( 1600213 )

        This hack isn't very well hidden:

        One big issue Checkmarx faced is that on Echo devices a shining blue ring reveals when Alexa listens

        I'd be more worried about it if they could listen without the indicator light on.

        Question is, 1) how noticeable is the blue ring, and

        Quite noticable if you're looking at the device, and it doesn't have to be noticed by everyone, just enough people that say "Weird, after I installed the "fart sounds" skill, the blue light stays on all day", and report it.

  • Since apparently no one can convince most people to not buy these gods-be-damned things in the first place, at least try to convince them to unplug the power from it when they're not actively using it. Make up some plausible reason that will trigger them emotionally, like "so pedophiles won't be listening in on your kids" or something like that.
  • When work got an Echo to play around with, I came up with exactly this idea - listen to meetings and save them (maybe as audio, but definitely transcribed to text). I was *shocked* to learn that you can't officially do this, because it seems like such an obvious thing for the Echo to do.

    Now hackers work out how to do it, only for Amazon to close the exploits and *still* not release this idea as an official Alexa skill. Now that they've added the ability to train and recognise individual voices, a text trans

  • Wouldn't it be easier to bug their house?

Thufir's a Harkonnen now.

Working...