Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker.

Checkmarx gave Amazon advance notice of the defect they exploited and Amazon has issued a patch; this is the second such flaw known to have been discovered in the Alexa platform. It's not known how many more such defects remain in the platform, or will be introduced in future versions.

Checkmarx did not attempt to get its poisoned skill approved for the Alexa store, so it's not known whether Amazon's internal checks would have detected it. The attack did have a critical weakness: Alexa's blue "listening light" illuminated while it was running; but as the team pointed out, the point of Alexa is that you can use it without looking at it.



Checkmarx researchers said they were able to manipulate code within a built-in Alexa JavaScript library (ShouldEndSession) to pull off the hack. The JavaScript library is tied to Alexa's orders to stop listening if it doesn't hear the user's command properly. Checkmarx's tweak to the code simply enabled Alexa to continue listening, no matter the voice request order. One challenge for researchers was the issue of the "reprompt" feature in Alexa. Reprompts are used by Alexa if the service keeps the session open after sending the response but the user does not say anything, so Alexa will ask the user to repeat the order. However, Checkmarx researchers were able to replace the reprompt feature with empty reprompts, so that a listening cycle starts without letting the user know.

Researchers Hacked Amazon's Alexa to Spy On Users, Again [Lindsey O'Donnell/Threatpost]

(via /.)

(Image: Cryteria, CC-BY)