Amazon’s Alexa hacked purposely to demonstrate security flaws

by Julie Splinters - - 2018-04-27

Echo devices might not be that safe, research shows

Amazon’s Alexa hacked by Checkmarx

Voice activation devices such as Amazon’s Alexa and Google Assistant are useful and fun-to-use. Generally, these devices are relatively well protected when it comes to privacy. However, thanks to ever-improving technologies and hacking attacks^[1] that keep increasing around the globe, the microphone inside the house might pose a serious security risk.

This time, Checkmarx,^[2] a leader company in application security testing and validation, decided to use its clever coding skills to dig into Alexa’s functionality. What they found was quite surprising: they managed to hack Alexa device by simply creating an application that could be potentially inserted into Amazon app store by a third party.

Checkmarx contacted Amazon with these findings. As a result, the tech giant reacted with the immediate fix for a flaw.

Researchers did not take long to make Alexa fulfill their demands

The device should “wake up” as soon as it hears “Alexa.” It is supposed to follow the script of the activated app, record user’s communication with it and then shut itself down, preventing from the further recording of sounds.

Checkmarx found a way to bypass this sequence and finally hack the device. In fact, they succeeded without tremendous effort. Erez Yalon, the head of research at Checkmarx, came up with the following explanation:

We actually did not hack anything, we did not change anything, we just used the features that are given to developers. We had a few challenges that we had to overcome, but step by step it happened.

For demonstration purposes, the researchers used a simple calculator skill app to gain access to Alexa. However, making the device to keep listening and recording without alerting the user was not as simple as it seemed. To keep Alexa on for another cycle, Checkmarx experts had to manipulate the code called “shouldEndSession” by replacing words with empty values.^[3] This made the device to stay silent.

Additionally, Checkmarx found a way to make the device to record all words, transcribe them and send data back to the developer. In normal mode, Alexa transcribes^[4] only specific commands.

Amazon is working on improving the security of their device

Fortunately, certain limitations are applied to this security breach as the data that could be could be collected is not provided as conversations, but as transcripts. Also, the recording session would only last few minutes before the device shuts itself down.

Checkmarx also noted that the blue indicator light stays on during this process. Therefore, users can still see if the device is listening.

After being informed, Amazon launched few updates to app-certification process^[5] to not allow apps that can listen in. Also, empty prompts and extremely long sessions are now analyzed to take appropriate action.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Alice Woods . Ransomware breaches doubled last year. Growth expected in 2018. 2-spyware. Security news and articles.
^ We Secure Your Code. Checkmarx. A firm that specializes in security checks.
^ empty. PHP. Scripting language.
^ Transcription (software). Wikipedia. The Free Encyclopedia.
^ Appstore Submission. Amazon App Store.