Amazon Alexa is the new buzzword of home users. However, security researchers have found a privacy risk that can turn an Amazon Echo into a spying device. Read on to know more about the privacy risk…
Amazon Echo is the always-listening voice-activated smart home speaker that allows you to get things done by using your voice, like playing music, setting alarms, and answering questions. While Amazon Echo is the new buzzword of home users, it’s not right to speculate about security risks of home based gadgets like Amazon Echo and any other smart devices or gadgets. They are always designed and tested by the manufacturers for all types of user privacy risks. However, security researchers have developed a new malicious skill for Amazon’s popular voice assistant Alexa that can turn your Amazon Echo into a real-time spying gadget. The researchers at the security firm Checkmarx with little tweaking of Alexa have turned it into a spy device.
Proof of Concept
Amazon allows developers to build custom ‘skills’ applications for Alexa, which is the brain behind millions of voice-activated smart devices which includes Amazon Echo Show, Echo Dot, and Amazon Tap. Researchers didn’t have to hack Amazon’s Alexa voice assistant to use it for eavesdropping. They just took advantage of the system in place of turning an Echo into a spy device which only took some clever programming.
The privacy breach, which Amazon has already fixed, follows the intended flow of using and programming an Echo. Because an Echo’s mic only activates to send sound over the Internet when someone says the wake-up word which is “Alexa” — the researchers probed if they could piggyback on one of those legitimate reactions to listen in. After a few manipulations they achieved their test results successfully to discover the privacy breach. In technical terms, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven ‘skill’ for Alexa that forces device to indefinitely record surround voice to secretly eavesdrop on users’ conversations and then also sends the complete transcripts to a third-party website.
“We actually did not hack anything, we did not change anything, we just used the features that are given to developers,” says Erez Yalon, the head of research at Checkmarx. “We had a few challenges that we had to overcome, but step by step it happened.”
In fact, the researchers used an attack technique more common in mobile devices to carry off their eavesdropping. Whereas on a smartphone you might download a malicious app that snuck into, say, the Google Play Store, the researchers instead created a malicious Alexa applet known as a “skill” that could be uploaded to Amazon’s Skill Store. Specifically, the researchers designed a skill that acts as a calculator, but has a lot more going on behind the scenes. The Checkmarx team did not actually make their skill available to the general public.
To use a skill, you have to say your device’s wake word for the mic to begin shuttling audio over the internet for processing. In Checkmarx’s example, when the user then asks their enabled calculator to do some simple math, that request gets routed to the skill, which returns the answer. Normally, the interaction would end there, and the mic would stop transmitting. But the researchers programmed their skill so that instead, a developer functionality called “shouldEndSession” would automatically keep the Echo listening for another cycle.
Even then, normally Alexa would give a verbal “readback” prompt, letting the user know that it was still actively engaged. The researchers found, though, that they could simply put empty values into this prompt instead of words, meaning the Echo would stay quiet and wouldn’t let a user know that the session was continuing.
Finally, the researchers programmed the skill to transcribe words and sentences spoken during the session, and send that data back to the developer. Normally an Alexa skill would only be programmed to transcribe certain commands, but the researchers were able to adjust this so the skill could record any arbitrary word. They also programmed the skill to expect sentences containing almost any number of words, by generating strings of all different length. Those tweaks combined enabled continued eavesdropping on an unsuspecting target after an Echo interaction seemed to have ended.
Actually, the recent news that security firm Checkmarx created a skill that allowed it to turn Echo speakers into spy devices actually does more to disprove than prove the theorem. In the skill that has been referred to, Checkmarx took advantage of a vulnerability which has now been fixed that used Alexa’s ‘I didn’t quite get that’ feature, where it can keep listening after a request. The team muted the line from Alexa, so the speaker continued recording without audibly telling you that it was. The team then adjusted the recording length so that this second ‘secret’ recording could last an indefinite amount of time — although it would automatically cut out after a couple of minutes.
The first thing worth noting is that it wasn’t totally secret, as the Echo speaker would still have its ‘listening’ light on. The second is that this would only give you a couple of minutes of information after the interaction with a maliciously coded skill that the user would have to want to use. The third, is that the attacker would only be able to receive a written transcription of the conversation. Amazon does have the ability to receive recorded audio (stay calm), but the sheer amount of server space needed to process recorded audio from the millions of Echo speakers around the world would make constant spying an absolute technical impossibility.