In the News

Researchers Hacked Amazon’s Alexa to Spy On Users, Again

7 May 2018 | By Lindsey O’Donnell

A malicious proof-of-concept Amazon Echo Skill shows how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices – and automatically transcribe every word said.

Checkmarx researchers told Threatpost that they created a proof-of-concept Alexa Skill that abuses the virtual assistant’s built-in request capabilities. The rogue Skill begins with the initiation of an Alexa voice-command session that fails to terminate (stop listening) after the command is given. Next, any recorded audio is transcribed (if voices are captured) and a text transcript is sent to a hacker. Checkmarx said it brought its proof-of-concept attack to Amazon’s attention and that the company fixed a coding flaw that allowed the rogue Skill to capture prolonged audio on April 10.

A malicious proof-of-concept Amazon Echo Skill shows how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices – and automatically transcribe every word said.

Checkmarx researchers told Threatpost that they created a proof-of-concept Alexa Skill that abuses the virtual assistant’s built-in request capabilities. The rogue Skill begins with the initiation of an Alexa voice-command session that fails to terminate (stop listening) after the command is given. Next, any recorded audio is transcribed (if voices are captured) and a text transcript is sent to a hacker. Checkmarx said it brought its proof-of-concept attack to Amazon’s attention and that the company fixed a coding flaw that allowed the rogue Skill to capture prolonged audio on April 10.


</close>

Latest Alexa hack shows Echo could be turned into scary spying device

7 May 2018 | By Colm Gorey

According to Forbesthe discovery was made by a company called Checkmarx, whose tools test the security of soon-to-be released software.

The hack exploits Alexa’s in-built function to listen out for follow-up commands from the user – for example, it might ask did you mean pm or am when you asked to set an alarm for a certain time.

According to Forbesthe discovery was made by a company called Checkmarx, whose tools test the security of soon-to-be released software.

The hack exploits Alexa’s in-built function to listen out for follow-up commands from the user – for example, it might ask did you mean pm or am when you asked to set an alarm for a certain time.


</close>

Hacking the Amazon Alexa virtual assistant to spy on unaware users

7 May 2018 | By Pierluigi Paganini

Checkmarx experts created a proof-of-concept Amazon Echo Skill for Alexa that instructs the device to eavesdrop on users’ conversations and then sends the transcripts to a website controlled by the attackers.

Checkmarx experts created a proof-of-concept Amazon Echo Skill for Alexa that instructs the device to eavesdrop on users’ conversations and then sends the transcripts to a website controlled by the attackers.


</close>

Amazon Echo made to eavesdrop without exploit or manipulation

7 May 2018 | By Robert Abel

Checkmarx security researchers developed a proof of concept attack that would allow enable an Amazon Echo to continue recording a user long after a request is made.

Checkmarx security researchers developed a proof of concept attack that would allow enable an Amazon Echo to continue recording a user long after a request is made.


</close>

Researchers Find Alexa Security Flaw to Spy on Users

7 May 2018 | By Priya Anand

Security researchers at the firm Checkmarx said they found a way to create an Alexa skill that would continue listening to users long after they prompted the software, according to Threatpost. The rogue skill could then send a recording and transcript of any audio to its creators.

Amazon said it has fixed the flaw, which researchers reported to the company before going public with their findings. It’s worth noting that Checkmarx didn’t try to push its skill through Amazon’s certification system to make it available to the public, so we can’t be sure as to whether Amazon has controls in place to avoid skills like this from slipping through. For those interested in learning exactly how the researchers were able to manipulate Alexa, it’s worth reading the whole story.

Security researchers at the firm Checkmarx said they found a way to create an Alexa skill that would continue listening to users long after they prompted the software, according to Threatpost. The rogue skill could then send a recording and transcript of any audio to its creators.

Amazon said it has fixed the flaw, which researchers reported to the company before going public with their findings. It’s worth noting that Checkmarx didn’t try to push its skill through Amazon’s certification system to make it available to the public, so we can’t be sure as to whether Amazon has controls in place to avoid skills like this from slipping through. For those interested in learning exactly how the researchers were able to manipulate Alexa, it’s worth reading the whole story.


</close>

Amazon Alexa Tricked By Security Researchers To Keep Listening

7 May 2018 | By Chuck Martin

Researchers from security firm Checkmarx say they have found a way to keep Amazon’s digital assistant Alexa listening in on what is said -- and even transcribe it.

The researchers created a calculator skill for the device. When the skill was launched, the researchers asked a calculation question, which Alexa answered, based on a video by Checkmarx.

Researchers from security firm Checkmarx say they have found a way to keep Amazon’s digital assistant Alexa listening in on what is said — and even transcribe it.

The researchers created a calculator skill for the device. When the skill was launched, the researchers asked a calculation question, which Alexa answered, based on a video by Checkmarx.


</close>

Alexa Turned Spy, Able to Snoop on Users

7 May 2018 | By Kacy Zurkus

Amazon put a quick stop to an issue in Alexa’s skill set after Chexmarx researchers reported that her skill set could be expanded to listen in on users not just some of the time but all of the time.

According to a Checkmarx research paper, Alexa skills can be developed in different languages using the Alexa skill set, which integrates with the AWS-Lambda function. The personal assistant device is always listening for the user’s voice so that when recognized, Alexa is activated.

Amazon put a quick stop to an issue in Alexa’s skill set after Chexmarx researchers reported that her skill set could be expanded to listen in on users not just some of the time but all of the time.

According to a Checkmarx research paper, Alexa skills can be developed in different languages using the Alexa skill set, which integrates with the AWS-Lambda function. The personal assistant device is always listening for the user’s voice so that when recognized, Alexa is activated.


</close>

Security Researchers Created a ‘Skill’ that Allows Alexa to Spy on You

7 May 2018 | By AJ Dellinger

The vulnerability, which Amazon has since patched, was discovered by cybersecurity company Checkmarx. Experts at the firm were able to create a “skill”—Amazon’s term for an application for Alexa—that could secretly record a victim and transcribe entire conversations caught on mic.

The security researchers hid the malicious task in a seemingly innocuous calculator skill that could be used to solve math problems. Unbeknownst to any victim who installed the skill, asking Alexa to use the app would enable the attack.

The vulnerability, which Amazon has since patched, was discovered by cybersecurity company Checkmarx. Experts at the firm were able to create a “skill”—Amazon’s term for an application for Alexa—that could secretly record a victim and transcribe entire conversations caught on mic.

The security researchers hid the malicious task in a seemingly innocuous calculator skill that could be used to solve math problems. Unbeknownst to any victim who installed the skill, asking Alexa to use the app would enable the attack.


</close>

Alexa Skill Developed to Eavesdrop on Conversations, Amazon Fixes Vulnerability

7 May 2018 | By Jagmeet Singh

The researchers at cyber-security company Checkmarx hid the malicious application in a simple calculator skill that is meant to solve common mathematics problems. While Alexa is designed to process commands after hearing the "Alexa" wake word and ends the session or wait for another command for a brief moment after processing the first command, the skill in question kept it waiting long after the last communication. The skill also enabled voice recording, without informing users. All this made it possible for the researchers to silently capture conversations from Alexa.

The researchers at cyber-security company Checkmarx hid the malicious application in a simple calculator skill that is meant to solve common mathematics problems. While Alexa is designed to process commands after hearing the “Alexa” wake word and ends the session or wait for another command for a brief moment after processing the first command, the skill in question kept it waiting long after the last communication. The skill also enabled voice recording, without informing users. All this made it possible for the researchers to silently capture conversations from Alexa.


</close>

Researchers found a way to hack Amazon’s Alexa: report

7 May 2018 | By Fox News Staff

Independent Women’s Forum’s Nan Hayworth and Democratic strategist Wendy Osefo discuss the report that researchers discovered a way to hack Amazon’s Alexa.

Independent Women’s Forum’s Nan Hayworth and Democratic strategist Wendy Osefo discuss the report that researchers discovered a way to hack Amazon’s Alexa.


</close>