The purpose of a digital assistant is to be able to quickly help when you call out to it. As a result, they’re always “listening” for the trigger keyword but Amazon, Google, Apple, and Microsoft frequently assure end users that their digital assistants aren’t always listening and recording what their users say. That’s not to say they can’t be made to as another recent proof-of-concept attack showed Alexa being hacked to always listen and automatically transcribe what it heard.
In a nutshell, Alexa is supposed to stop listening once a command is given. Researchers at Checkmarx were able to manipulate the code using an existing Alexa JavaScript library. By making a change to the code in the library, the researchers enabled Alexa to continue listening when it was supposed to stop.
“On default, Alexa ends the sessions after each duration… we were able to build in a feature that kept the session going [so Alexa would continue listening]. We also wanted to make sure that the user is not prompted and that Alexa is still listening without re-prompts,” Erez Yalon, manager of Application Security Research at Checkmarx, told Threatpost.
As with any hack, Checkmarx had other issues to overcome such as Alexa’s re-prompt feature — which follows up with the user if they don’t say anything — and the fact that the blue ring on Echo devices is on while Alexa listens. As for the re-prompt issue, the researchers were successfully able to use empty re-prompts so Alexa wouldn’t have to prompt the user again. Furthermore, and more “Big Brotherish,” they were also able to transcribe the captured speech. As for the blue ring, the researchers indicated that many users tuck their Echo devices where the ring may not be visible and also mentioned that third-party vendors may not even include a visual indicator when Alexa is running.
Thankfully, Checkmarx alerted Amazon and a fix was put in place on April 10th which included detecting empty re-prompts, longer-than-usual sessions, and adding criteria to identify and reject eavesdropping skills during certification.
“Checkmarx did not try to publicly release the malicious skill… If we did, Amazon would need to approve it,” said Yalon. “We do not know the timeline of Amazon’s certification process, but we have no reason to believe (including after discussions with Amazon) that our malicious skill would not have been approved prior to the recent mitigations.”
Still, this proof-of-concept hack once again raises questions about the privacy risks associated with voice-activated digital assistants.
What do you think about the proof-of-concept Amazon Echo Skill allowing Alexa to listen continuously and transcribe users speech? Do stories like this make you less inclined to embrace digital assistants? Let us know in the comments below or on Google+, Twitter, or Facebook.
[button link=”https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/” icon=”fa-external-link” side=”left” target=”blank” color=”285b5e” textcolor=”ffffff”]Source: Threatpost[/button]
