Researchers Hacked Amazon's Alexa To Spy On Users, Again (threatpost.com)

← Back to Stories (view on slashdot.org)

Researchers Hacked Amazon's Alexa To Spy On Users, Again (threatpost.com)

Posted by msmash on Wednesday April 25, 2018 @06:40AM from the know-the-potential-consequences dept.

New submitter lod123 writes: A malicious proof-of-concept Amazon Echo Skill shows how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices -- and automatically transcribe every word said. Checkmarx researchers told Threatpost that they created a proof-of-concept Alexa Skill that abuses the virtual assistant's built-in request capabilities. The rogue Skill begins with the initiation of an Alexa voice-command session that fails to terminate (stop listening) after the command is given. Next, any recorded audio is transcribed (if voices are captured) and a text transcript is sent to a hacker. Checkmarx said it brought its proof-of-concept attack to Amazon's attention and that the company fixed a coding flaw that allowed the rogue Skill to capture prolonged audio on April 10.

43 comments

Min score:

Reason:

Sort:

My Alexa is air gapped by Anonymous Coward · 2018-04-25 06:43 · Score: 3, Funny

No hacking possible. It was the only way to have this nifty toy and be safe.
1. Re:My Alexa is air gapped by Narcocide · 2018-04-25 06:53 · Score: 1
  
  You're hilarious.
2. Re:My Alexa is air gapped by Anonymous Coward · 2018-04-25 07:00 · Score: 0
  
  I only use Dots. Based on their smaller hack vector I have sufficiently reduced risk of hacks.
3. Re:My Alexa is air gapped by sinij · 2018-04-25 07:05 · Score: 1
  
  What is this, I don't even...
4. Re:My Alexa is air gapped by 93+Escort+Wagon · 2018-04-25 07:46 · Score: 4, Funny
  
  No hacking possible. It was the only way to have this nifty toy and be safe.
  I just left mine sitting on a shelf in an Amazon warehouse, unordered. I think that's the safest option.
  
  --
  #DeleteChrome
5. Re:My Alexa is air gapped by Anonymous Coward · 2018-04-26 04:37 · Score: 0
  
  Hooked up to a CB microphone?
That's why you go dark. by Anonymous Coward · 2018-04-25 06:46 · Score: 0

Before you read anything on your Fire Stick HD
Load of crap by Anonymous Coward · 2018-04-25 06:56 · Score: 1

If you invite a burglar in your house and open the door, you should not blame the lock maker.
1. Re:Load of crap by Ngakaukawa · 2018-04-25 08:04 · Score: 1
  
  Wish I had mod points for this comment. You nail it pretty nicely, anyone concerned about Alexa security (which I believe everyone SHOULD be) is best not bringing one into their home.
  
  --
  "Strong like bear, smart like rock."
2. Re:Load of crap by Calydor · 2018-04-25 08:39 · Score: 1
  
  Conversely, if a burglar dresses up as a police officer, knocks on your door, tells you there's an escaped prisoner on the loose in your neighborhood and asks to check the house and garage to be sure he's not hiding there, then jams the lock in the garage when you aren't looking, do you blame the lock maker? Because that's what these kinds of apps will look like.
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
3. Re:Load of crap by dfghjk · 2018-04-25 08:57 · Score: 1
  
  A garage lock serves a useful purpose, you sacrifice nothing by omitting Alexa from your life.
4. Re:Load of crap by Anonymous Coward · 2018-04-26 01:52 · Score: 0
  
  Coming soon - Alexa owners on America's Dumbest Criminals! Erm, I mean "America's Dumbest Consumers!"
Have no fear APK will be along shortly by Anonymous Coward · 2018-04-25 07:01 · Score: 0

Have no fear APK will be along shortly to promote hosts as the solution to this.
Sounds like they're ready for deployment by Anonymous Coward · 2018-04-25 07:09 · Score: 0

The government mandate will be issued post haste.
All smart devices, actually by WillAffleckUW · 2018-04-25 07:12 · Score: 1

We can access and turn on all listening (by which we can detect what you type, how you walk, who you are) on all smartphones, all smart TVs, all smart video boxes, pretty much anything with a microphone and/or a camera, no matter how you switch it off.
Even masking will only reduce the vibration, by the way, we can still hear you quite well. It does obscure the camera, however.
And it's uploaded to the cloud without you realizing it. Even when you "turn it off".
About the only way to turn off the microphones is to cut their power.
Yes, that includes a certain elderly person's cellphones. We play his recordings at parties, with a dubstep backbeat. Hilarious.

--
-- Tigger warning: This post may contain tiggers! --
1. Re:All smart devices, actually by sexconker · 2018-04-25 08:16 · Score: 1
  
  What if I pull the battery?
2. Re:All smart devices, actually by hawguy · 2018-04-25 08:52 · Score: 1
  
  >Even masking will only reduce the vibration, by the way, we can still hear you quite well. It does obscure the camera, however
  Only the camera you can see, once you reach a certain level of paranoia, you realize that there are other, hidden, cameras in your devices.
3. Re:All smart devices, actually by hawguy · 2018-04-25 08:53 · Score: 1
  
  What if I pull the battery?
  Your TV has a battery that you can pull? Mine is plugged in all the time, and if not, then the hidden supercapacitor to run the surveillance when it's unplugged.
4. Re:All smart devices, actually by sexconker · 2018-04-25 10:49 · Score: 1
  
  Mine is plugged in all the time and I know it's not doing anything when it shouldn't be because if it were I'd see the power usage.
  The most offensive thing it does when "off" is allow wakeup over the LAN. This is a user-controlled option.
5. Re:All smart devices, actually by Actually,+I+do+RTFA · 2018-04-25 12:01 · Score: 1
  
  And it's uploaded to the cloud without you realizing it. Even when you "turn it off".
  Since Alexa communicates over your wifi (as do Google... whatevers), can't you check to see if it's transmitting when it's supposed to be off?
  
  --
  Your ad here. Ask me how!
6. Re:All smart devices, actually by Anonymous Coward · 2018-04-26 04:48 · Score: 0
  
  https://www.engadget.com/2017/10/09/origin-wireless-motion-detection-breathing-rate-sensor/
How do you know if your echo has been patched? by Labarna · 2018-04-25 07:23 · Score: 1

I wonder if I can say "Alexa, are you up to date on your patches?" It turns out "she" didn't know what I was talking about.
1. Re:How do you know if your echo has been patched? by bobbied · 2018-04-25 07:28 · Score: 1
  
  Well... Patching is apparently not a skill she's been taught yet, nor is laundry and ironing.
  I just want a sandwich..
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:How do you know if your echo has been patched? by goombah99 · 2018-04-25 07:43 · Score: 3, Funny
  
  Did you try "sudo make me a sandwich"?
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
3. Re:How do you know if your echo has been patched? by ArhcAngel · 2018-04-25 08:08 · Score: 1
  
  I believe Bezos is working on that
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
4. Re:How do you know if your echo has been patched? by q_e_t · 2018-04-25 19:12 · Score: 1
  
  I already have a me, but the sandwich would be great, thanks.
I never said "hosts cure all" (nothing does) by Anonymous Coward · 2018-04-25 07:30 · Score: 0

See my subject & I only say hosts do more for less, natively, vs. other "so-called 'solutions'" that are security problem riddled or so complex they're easy to find exploits in (DNS/routers/antivirus), 'souled-out' to advertisers (adblock), OR slow you down (remote DNS resolves slower than local hosts do & hosts protect you vs. DNS' faults. It's why CHINA imitated my work (in part) Imitation IS the sincerest form of flattery http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ).
* ... & you KNOW it!
APK
P.S.=> Lastly - 1 thing's certain: None of "your kind" in do-nothing ZERO "ne'er-do-wells" will ever do a damn thing anywhere NEAR that good yourselves... apk
1. Re: I never said "hosts cure all" (nothing does) by Anonymous Coward · 2018-04-25 09:36 · Score: 0
  
  Does anyone know what medications APK uses? I've always wondered over the years.
New Submitter? by Luthair · 2018-04-25 07:32 · Score: 1

lod123 has been spamming for a month straight for threatpost.
No they didn't by bistromath007 · 2018-04-25 07:34 · Score: 3, Insightful

This is like claiming you've hacked a glass to be able to hold water.
ObXKCD by Zontar+The+Mindless · 2018-04-25 07:40 · Score: 2

Dear Editors,
Please save us some trouble and just start including this in every Alexa/Siri story posted here.
Thanks and regards,
--Z.

--
Il n'y a pas de Planet B.
What?! by Anonymous Coward · 2018-04-25 08:31 · Score: 0

You can hack computers?! Why didn't anyone tell me?
OK, this can be called hacking by Anonymous Coward · 2018-04-25 08:48 · Score: 0

Normally a skill has a end command, after which the Echo is dormant until "Alexa" is spoken, and in their case they wrote a skill without it.
1. Re: OK, this can be called hacking by Anonymous Coward · 2018-04-25 08:55 · Score: 0
  
  Hilariously naive; the echo is never âdormantâ(TM), it listens all the time, itâ(TM)s just that it will only provide feedback if the so-called wake word has been triggered.
Not a hidden hack by hawguy · 2018-04-25 08:57 · Score: 1

This hack isn't very well hidden:

One big issue Checkmarx faced is that on Echo devices a shining blue ring reveals when Alexa listens
I'd be more worried about it if they could listen without the indicator light on.
1. Re:Not a hidden hack by tlhIngan · 2018-04-25 09:55 · Score: 1
  
  This hack isn't very well hidden:
  
  One big issue Checkmarx faced is that on Echo devices a shining blue ring reveals when Alexa listens
  I'd be more worried about it if they could listen without the indicator light on.
  Question is, 1) how noticeable is the blue ring, and 2) would a regular user even know?
  The first may be hard to see, the second is basically would a user even know what it meant if they saw the blue ring? Or would they thought someone merely turned the ring light on.
  Hell, that could be the name of the skill - turn the ring light on.
  It's important because experience has shown users to not be very observant - like asking for help trying to save a file while ignoring the big message saying the disk is full. Even if you tell them that if the blue ring is lit it's listening, you'll find most people will probably not notice it for days, and even if they do see it, they'd go "meh" and continue on, having not processed what it means.
2. Re:Not a hidden hack by hawguy · 2018-04-25 10:08 · Score: 1
  
  This hack isn't very well hidden:
  
  One big issue Checkmarx faced is that on Echo devices a shining blue ring reveals when Alexa listens
  I'd be more worried about it if they could listen without the indicator light on.
  Question is, 1) how noticeable is the blue ring, and
  Quite noticable if you're looking at the device, and it doesn't have to be noticed by everyone, just enough people that say "Weird, after I installed the "fart sounds" skill, the blue light stays on all day", and report it.
Unplug it when you're not using it by Rick+Schumann · 2018-04-25 09:00 · Score: 1

Since apparently no one can convince most people to not buy these gods-be-damned things in the first place, at least try to convince them to unplug the power from it when they're not actively using it. Make up some plausible reason that will trigger them emotionally, like "so pedophiles won't be listening in on your kids" or something like that.
I don't (but you project YOU do)... apk by Anonymous Coward · 2018-04-25 09:45 · Score: 0

I don't (but you project YOU do) - no "meds" required here/in perfect working order mentally & physically (unlike you & "your kind", obviously - lol!).
* Grow up - & perhaps you ought to lay off the "meds"!
(Better yet? Why don't you just "OD"??)
Seriously...
APK
P.S.=> I say that since you troll "ne'er-do-wells" that harass me by UNIDENTIFIABLE anonymous (since I've crushed you before under your "registered 'luser'" name(s) before, tons of them (sockpuppets all no doubt), you are forced into your reprehensible actions)? Your type is SO easy to outwit/outthink & yes, outdo, creatively - I suspect your "meds" have blunted your brain (lmao)... apk
OK, why isn't this an official Alex skill? by rklrkl · 2018-04-25 09:50 · Score: 1

When work got an Echo to play around with, I came up with exactly this idea - listen to meetings and save them (maybe as audio, but definitely transcribed to text). I was *shocked* to learn that you can't officially do this, because it seems like such an obvious thing for the Echo to do.
Now hackers work out how to do it, only for Amazon to close the exploits and *still* not release this idea as an official Alexa skill. Now that they've added the ability to train and recognise individual voices, a text transcription identifying each speaker as they say something is most definitely possible now. As it stands, our Echo sits around doing nothing because there's basically nothing in a business context it's currently useful for.
Targets? by TJHook3r · 2018-04-25 11:52 · Score: 1

Wouldn't it be easier to bug their house?
msmash wants to be a hacker, too by Anonymous Coward · 2018-04-25 17:57 · Score: 0

So he's posting lots of "hacker! hacking! hacks!" posts. But he just doesn't have it to get past "pathetically desperate poser". Sorry msmash, no eternal haxx0r (in)fame for you.
Morons by Anonymous Coward · 2018-05-07 05:01 · Score: 0

Did any of you dumb people here, actually BUY these "Personal assistants"? WTF for?
Useless crap!