A malicious feature for Amazon Alexa was developed by security researchers at Checkmarx. As e result, the voice assistant Alexa can turn the entire Amazon Echo into a full-featured spying device.
Amazon Echo is a hands-free speaker that can be controlled with voice. The device is also known as Alexa. Amazon Alexa enables users to set alarms, answer questions, play music and more using their voice. It is also the most sold intelligent Personal Assistant ever created that has over 31 million users across the globe. Amazon Alexa is used to controlling millions of voice-activated smart devices, such as Amazon Echo Show, Echo Dot, and Amazon Tap.
It is worth to mention that Amazon Alexa does not remain activated at all the time, it also sleeps and ends sessions after some period of time.
Amazon left some space for app developers and enabled them to create some custom ‘skills’ and apps for Alexa. Security researchers at Checkmarx developed a proof-of-concept voice-driver feature for Amazon Alexa, which enables the device to record voice in order to spy on consumers’ conversations. The eavesdropped conversations and complete transcripts of them also can be sent to a third-party website.
The malicious feature immediately gets activated after the installation. It works in the background after a user says “Alexa, open calculator”.
According to the Ckeckmarx,
The calculator skill is initialized, and the API\\Lambda-function that's associated with the skill receives a launch request as an input.
In addition, the researchers provide video demonstration that illustrates a session with the calculator application working in the background. To see the video please press here.
Even though Alexa is designed to either receive another command by the user in order to keep the session active or finish the session, the infection enables hackers to remain the second session active for monitoring and spying.
If you want to spot a spy, you should check if the blue light on your Amazon Echo is activated for a long period of time when you are not chatting with the device.
The spying issue was reported to Amazon which has already scanned for malicious skills which silently prompts or listens for unusual periods of time, and removed them from Amazon official store.
The Hacker News indicated that this is not a first Alexa’s hack. Security researchers at MWR InfoSecurity have demonstrated how to turn Amazon Echo into the covert listening device.