'Alexa, listen in on my every word and send it all to a shady developer'

Amazon fixes up app security hole affecting always-listening Echo assistants


Amazon has shored up a security weakness in its technology to stop apps for Alexa-powered Echo personal assistants from secretly eavesdropping on folks.

Alexa skills – software add-ons for the chatty voice-controlled assistant – could, once installed, have abused an Amazon-provided software development kit to continually listen in on people talking near an Echo and send transcripts off to miscreants, according to infosec biz Checkmarx.

Someone would have to enable the malicious skill for their microphone-equipped Echo, activate the add-on with a verbal cue, and then chat away while the gadget continued to listen in. The software should be forced to stop spying after a short period of time, however it was possible for a skill to keep the mic hot for longer than people nearby would expect, allowing the skill to potentially siphon off their conversations.

Amazon told El Reg on Thursday it has addressed this exploitable flaw. Here's a video demonstrating the problem:

Youtube Video

Israel-based Checkmarx homed in on the way Alexa skills listen for commands to do stuff. By telling the skill to delay turning itself off, a shady developer could keep the device active and listening for up to 16 seconds. This can be done simply by telling the skill to listen for a "re-prompt" command, and leaving that re-prompt word undefined.

"Within a valid skill with legitimate intent functionality (for example a calculator skill that calculates math actions according to user input), the input can be captured to an external log, accessible to the skill developer," Checkmarx explained this week.

That log, intended to be used by the developer to understand how their Alexa skill is being used, could instead be abused to eavesdrop on users. In other words, a developer could tell their Alexa skill to keep listening for commands after performing a function, and then collect all of the audio gathered.

"Surprisingly the reprompt can be defined with an empty output-speech that the user cannot hear nor will notice," Checkmarx stated.

"This will extend the lifetime of the skill by 8 seconds, even if there's silence on the user's side." ®


Tech Resources

What WAF is right for you

Applications are architected in many ways, but all need protection from threats. Learn the most important things to consider when choosing a WAF.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Biting the hand that feeds IT © 1998–2021