From “Researchers Find Amazon Alexa Can Be Hacked to Record Users”
eWeek (04/25/18) Kerner, Sean Michael. Posted by ASIS.
The security firm Checkmarx on April 25 disclosed it has found that a malicious developer can trick Amazon’s Alexa voice assistant technology to record everything a user says. It is currently unclear if any hackers have ever exploited the flaw, which is not in the Amazon Echo hardware, but rather is an abuse of functionality in the Alexa Skills feature set. Developers can extend Alexa’s technology by building skills that provide new functionality for end users. Checkmarx found that there were several unbounded parameters that were available to Alexa skills developers that could have enabled a malicious developer to record and even transcribe what a user says, even after the user had finished communicating with the device. “Customer trust is important to us, and we take security and privacy seriously,” an Amazon spokesperson stated. “We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do.” The Checkmarx research found that an attacker could manipulate an Alexa Skill, which can be installed by unsuspecting users and doesn’t require any physical access or tampering with the Amazon Echo smart speaker. “The problem is that the attack we described leaves no trace, so a naïve user will not be able to know,” said Erez Yalon, manager of application security research at Checkmarx. “It makes sense that with the info they have now, Amazon can check if the Amazon Store hosts any malicious Alexa Skills.”
Gregory M. Schmidt, CPP, PSP, CHPA 