New Amazon Echo Skill can be used to abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices – and automatically transcribe every word said.
The rogue Skill begins with the initiation of an Alexa voice-command session that fails to stop listening after the command is given. Next, any recorded audio is transcribed and a text transcript is sent to the attacker.
Usually, Alexa ends the sessions after each duration… but hackers were able to build in a feature that kept the session going, meaning Alexa will continue to listen to every word you say.
The most significant achievement for hackers was the fix of the issue of the “reprompt” feature in Alexa. Reprompts are used by Alexa if the service keeps the session open after sending the response, but the user does not say anything, Usually if this thing happens Alexa will ask the user to repeat the order. However, hackers found a way to replace the reprompt feature with empty reprompts, so that a listening cycle starts without letting the user know.
Please keep in mind that anything can be hacked, many problems could be easily evaded if a robust cybersecurity solution is present in every device that you own. Depending on which version of OS is installed on your device it is imperative to install an antivirus for Windows or antivirus for Mac. Companies should also use the services of a cybersecurity firm to verify their internal network by running various tests like penetration test and ethical hacking tests.
In the last part of the attack, hackers were able to transcribe the voice received by skills accurately. This transcription happens in two steps. First, a new slot-type is added, which captures any single word, not limited to a closed list of words. Second, to capture sentences at almost any length, hackers build a formatted string for each possible length.
There is good news too, this Skill is not foolproof. The problem for hackers is that on Echo devices a shining blue ring reveals when Alexa listens and nothing can be done to turn it off.
Soon after the Skill was out, Amazon fixed the problem by applying specific criteria to identify and reject eavesdropping skills during certification, detecting empty re-prompts and detecting longer-than-usual sessions.This is a good thing because now every “skill” needs to go through a certification process and be approved by Amazon before it can be published to the Amazon store.
Still, this hacker attack raises questions about the privacy risks around voice services such as Alexa, as well as other connected devices in the home.
Let’s not forget In September, researchers presented a proof of concept that gives potentially harmful instructions to popular voice assistants like Siri, Google, Cortana, and Alexa using ultrasonic frequencies instead of voice commands. And in November, the same researchers disclosed that Amazon Echo and Google Home devices are vulnerable to attacks through the over-the-air BlueBorne Bluetooth vulnerability.
Remember that only a robust cybersecurity solution can protect your device form all types of unwanted or bogus spyware. The use of an active antivirus is mandatory. We strongly recommend to everyone to install an antivirus for Windows or antivirus for Mac, depending on which version of OS your devices run. If you are a company, please check your network integrity by hiring top cybersecurity firms to perform various tests like penetration test and ethical hacking tests at least once a year.