Vulnerability in Amazon Alexa allowed hackers to eavesdrop

walden, system, systems, walden systems, accordion, backup, back up,back, up, ransom, ware, ransomware, data, recovery, critical, protection, remote, virtual, cloud, computing, desktop, ciel, cielview, view, vm, machine, vdi, infrastructure, server, paas, saas, platform, service, software, serverless, thin, client, workspace, private, public, iaas, cloud, terminal, ssh, developer, java, objective, c, c++, c#, plus, sharp, php, Excel, sql, windows, os, operating, system, o.s., powershell, power, shell, javascript, js, python, py, networks, faq, perl, pl, programming, script, scripting, program, programer, code, coding, example, devel, stored, procedure, sp, macro, switch, hub, router, ios, net, .net, interpreter socket, nas, network storage, virus, security



     Amazon Echo Skill, a proof of concept created by security experts illustrates how hackers can listen in and record every word said to the Alexa virtual assistant. Checkmarx researchers created a proof of concept Alexa Skill that uses the virtual assistant's built-in request capabilities. Skill begins by initiating an Alexa voice-command session that fails to stop listening after the command is given. Next, any recorded audio is transcribed and a text transcript is sent to a hacker. Checkmarx brought its attack to Amazon's attention so that the company can fix a flaw that allowed Skill to capture audio on April 10. By default, Alexa ends the sessions after each duration but researchers were able to build a feature that kept the session going so Alexa would continue listening. Researchers also wanted to make sure that the user is not prompted and that Alexa is still listening without prompting the user. Researchers were able to manipulate code within a built in Alexa JavaScript library called ShouldEndSession. The JavaScript library is tied to Alexa's orders to stop listening if it doesn't hear the user's command properly. The tweaks to the code enabled Alexa to continue listening, no matter the voice request order.

     A challenge for researchers was the issue of the reprompt feature in Alexa. Reprompts are used by Alexa when the service keeps the session open after sending the response but the user doesn't say anything, so Alexa will ask the user to repeat the order. However, researchers were able to replace the reprompt feature with empty reprompts, so that a listening cycle starts without letting the user know. Researchers were able to transcribe the voice received by skills. In order to be able to listen and transcribe any arbitrary text, researchers had to do two tricks. They added a new slot type, which captures any single word, not limited to a closed list of words. They also had to build a formatted string for each possible length in order to capture sentences at almost any length. One major hurdle researchers faced was the shining blue ring, which reveals when Alexa listens. Since Alexa is not like a smartphone or tablet, users don't have to look at it to use it so researchers didn't address it.




     Amazon resolved this issue through tweaking several features on April 10 after becoming aware of it's flaw. Amazon fixed the problem by applying specific criteria to identify and reject eavesdropping skills during certification, detecting empty reprompts and detecting unusually long sessions. Researchers did not publicly release the malicious skill until Amazon released their security patch. In September, researchers had devised a proof of concept that allows malicious code to access popular voice assistants like Siri, Google, Cortana, and Alexa using ultrasonic frequencies instead of voice commands. In November, security firm Armis disclosed that Amazon Echo and Google Home devices are vulnerable to attacks through the over the air BlueBorne Bluetooth vulnerability. These proof of concept raises questions about the privacy risks around voice services such as Alexa, as well as other connected devices in the home.