“Alexa, are you spying on me?” — aaaa…..mmmm…..hmmm…..maybe!!!
Security researchers have developed a new malicious ‘skill’ for Amazon’s popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device.
Amazon Echo is an always-listening voice-activated smart home speaker that allows you to get things done by using your voice, like playing music, setting alarms, and answering questions.
However, the device doesn’t remain activated all the time; instead, it sleeps until the user says, “Alexa,” and by default, it ends a session after some duration.
Disguised as a simple calculator for solving maths problems, the malicious skill, if installed, immediately gets activated in the background after a user says “Alexa, open calculator.”
“The calculator skill is initialized, and the API\Lambda-function that’s associated with the skill receives a launch request as an input,” researchers said in its report.
In a video demonstration, researchers show that when a user opens up a session with the calculator app (in the background), it also creates a second session without verbally indicating the user that the microphone is still active.
Checkmarx reported the issue to Amazon, and the company has already addressed the problem by regularly scanning for malicious skills that “silent prompts or that listen for unusual lengths of time” and kicking them out of their official store.
It’s not the first Alexa hack demonstrated by the researchers. Last year, a separate group of researchers at MWR InfoSecurity showed how hackers could turn some models of Amazon Echo into the covert listening device.