Amazon's Alexa voice assistant is used in millions of gadgets including the company's popular speaker, Echo, which uses programmed skillset called Skills to carry out voice commands, like asking after the weather condition.
Security Researchers from CheckMarx, a security firm discovered a flaw with Alexa that allowed a Skill to continue listening long after a person deactivated the software, which flaw could enable hackers to turn the Echo into an eavesdropping device.
While Amazon never stipulated how long Alexa will keep listening after a command is completed, which prompted researchers from CheckMarx to run the tests, After Alexa carries out a command, it's supposed to stop listening.
But the researchers developed a Skill that allowed it to continue listening indefinitely by taking advantage of Alexa's "Reprompt" command. CheckMarx's researchers found that a developer could write in the code for Alexa to do that, even if it perfectly understood the command.
Also, the researchers were able mute the command so that you wouldn't hear the Alexa asking you to repeat yourself, which allows Alexa to continue listening without the user being aware.
The proof-of-concept used is a calculator Skill that functioned like any calculator would, but after it completed a math problem, the Echo Dot continued listening for more than a minute until the researcher told it to stop.
Albeit, the voice recording actually goes to Amazon, but the transcription is sent to the developer that developed the skill.
The flaw is perhaps worrisome because Amazon's Echo smart speakers in the home could have been listening to customers all along. Though Amazon claims that the voice assistant doesn't listen to people until its wake word is activated.
Amazon has promptly fixed the reported flaw, which CheckMarx made public with its findings on Wednesday, since April 10.
Amazon fixes Alexa's eavesdropping flaw on Skills to carry out commands
Amazon's Alexa voice assistant is used in millions of gadgets including the company's popular speaker, Echo, which uses programmed skillset called Skills to carry out voice commands, like asking after the weather condition.
Security Researchers from CheckMarx, a security firm discovered a flaw with Alexa that allowed a Skill to continue listening long after a person deactivated the software, which flaw could enable hackers to turn the Echo into an eavesdropping device.
While Amazon never stipulated how long Alexa will keep listening after a command is completed, which prompted researchers from CheckMarx to run the tests, After Alexa carries out a command, it's supposed to stop listening.
But the researchers developed a Skill that allowed it to continue listening indefinitely by taking advantage of Alexa's "Reprompt" command. CheckMarx's researchers found that a developer could write in the code for Alexa to do that, even if it perfectly understood the command.
Also, the researchers were able mute the command so that you wouldn't hear the Alexa asking you to repeat yourself, which allows Alexa to continue listening without the user being aware.
The proof-of-concept used is a calculator Skill that functioned like any calculator would, but after it completed a math problem, the Echo Dot continued listening for more than a minute until the researcher told it to stop.
Albeit, the voice recording actually goes to Amazon, but the transcription is sent to the developer that developed the skill.
The flaw is perhaps worrisome because Amazon's Echo smart speakers in the home could have been listening to customers all along. Though Amazon claims that the voice assistant doesn't listen to people until its wake word is activated.
Amazon has promptly fixed the reported flaw, which CheckMarx made public with its findings on Wednesday, since April 10.
No comments