In real fact that would confirm people’s worst fears regarding a device with an always-on microphone in their home, security researchers have developed a “skill” for Amazon’s voice assistant Alexa, which lets the device indefinitely eavesdrop on people’s conversations.
The vulnerability that Amazon has since patched was found by cybersecurity company Checkmarx. The experts at the firm were able to create a “skill”— the term of Amazon for an Alexa application—that secretly could record a victim and transcribe the whole conversation caught on mic. The security researchers concealed the malicious task in an innocuous calculator skill, which could be used to solve math problems. Unbeknownst to any victim who installed the skill, asking Alexa to use the app would enable the attack.
While the Amazon’s Alexa is developed to be listening at all times to pick up on any commands the user could wish it complete, the cycle for it to record is supposedly short and sweet—it is supposed to only communicate with the Amazon servers to process the commands after it hears its wake word, which usually is “Alexa.” After it reads back data in response to a given prompt, it is supposed to either cease the session or ask the user for another command, briefly keeping the session open.
When the users open up a session with the calculator app, its code creates a second session but does not provide a vocal prompt from Alexa to inform the users that the microphone is still active. That keeps Alexa listening and recording the conversations of the users long after the communication with the smart speaker has ended. The device, with the session still open, is instructed by the skill to go on transcribing any conversation that it picks up. That data is gathered, recorded, and made searchable for the makers of the skill.
The attack that simply needs a victim to download and install the skill on their Alexa device, suffers from a pretty significant giveaway. That is, the blue light on the Dot or Echo remains illuminated and active symbolizing that Alexa still is listening. It is possible that a victim would not notice or would not think anything of it, but it could raise suspicions for the users.
In accordance with Checkmarx, the vulnerabilities, which enabled the attack, were reported to Amazon and the company already has worked to address the problems. Alexa now would detect the silent prompts used by the malicious skill to keep the microphone live without alerting the user and would shut down any longer-than-usual sessions in which the microphone is recording.
A spokesperson for Amazon said, “Customer trust is important to us and we take security and privacy seriously.” Further, he said, “We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do.”
Shutting down the loopholes, which enable eavesdropping code to make its way into the Alexa Skills Store is a good step to ensure the users do not fall victim to unsolicited spying, but there still are plenty of security concerns with Amazon’s always-listening microphones. Amazon already has willingly handed over the data from Alexa to law enforcement and is receiving more requests to do so all the time.