In the News

Amazon’s Alexa Hacked To Surreptitiously Record Everything It Hears

7 May 2018 | By Kevin Murnane

Voice-activated assistants like Amazon’s Alexa and the Google Assistant are convenient and powerful tools for getting information and carrying out tasks. They also raise privacy questions because they record their interactions with the user and are always-on waiting to hear their wake-up command. What the voice-activated assistants hear and record is limited in normal use, but the potential for abuse is a cause for concern. That potential has now been realized. Alexa has been hacked to surreptitiously record everything it can hear.

Checkmarx makes a suite of tools for developers to test the security of their software before it’s released to the public. Last January, the company exposed vulnerabilities leading to privacy breaches in the Tinder dating app. Now the researchers at Checkmarx have demonstrated how Alexa can be hacked to record what it hears.

Voice-activated assistants like Amazon’s Alexa and the Google Assistant are convenient and powerful tools for getting information and carrying out tasks. They also raise privacy questions because they record their interactions with the user and are always-on waiting to hear their wake-up command. What the voice-activated assistants hear and record is limited in normal use, but the potential for abuse is a cause for concern. That potential has now been realized. Alexa has been hacked to surreptitiously record everything it can hear.

Checkmarx makes a suite of tools for developers to test the security of their software before it’s released to the public. Last January, the company exposed vulnerabilities leading to privacy breaches in the Tinder dating app. Now the researchers at Checkmarx have demonstrated how Alexa can be hacked to record what it hears.


</close>

Researchers say they tricked Alexa into spying on them

7 May 2018 | By Steven Melendez

Researchers at security firm Checkmarx say they built a proof-of-concept skill for Amazon’s Echo devices that in theory could have voice assistant Alexa listen to, transcribe, and report what users said after they thought they had finished using a legitimate service.

They took advantage of a feature that allows a skill to extend the time it listens to users after it’s been activated if it prompts them for more information by playing an inaudible prompt. That way, their skill, which offered a simple calculator, could keep getting transcripts from Alexa of what users said without them getting any audio cue that the device was still listening. A light would likely have been visible on affected devices, Threatpost reports, but users wouldn’t notice it unless they looked at the device.

Researchers at security firm Checkmarx say they built a proof-of-concept skill for Amazon’s Echo devices that in theory could have voice assistant Alexa listen to, transcribe, and report what users said after they thought they had finished using a legitimate service.

They took advantage of a feature that allows a skill to extend the time it listens to users after it’s been activated if it prompts them for more information by playing an inaudible prompt. That way, their skill, which offered a simple calculator, could keep getting transcripts from Alexa of what users said without them getting any audio cue that the device was still listening. A light would likely have been visible on affected devices, Threatpost reports, but users wouldn’t notice it unless they looked at the device.


</close>

Researchers Find Amazon Alexa Can Be Hacked to Record Users

7 May 2018 | By Sean Michael Kerner

On April 25, security firm Checkmarx publicly disclosed that it has found that a malicious developer can trick Amazon's Alexa voice assistant technology to record everything a user says.

At this time, it's not clear if any hackers have ever exploited the flaw, which is not in the Amazon Echo hardware, but rather is an abuse of functionality in the Alexa Skills feature set. Developers can extend Alexa's technology by building skills that provide new functionality for end users. Checkmarx found that there were several unbounded parameters that were available to Alexa skills developers that could have enabled a malicious developer to record and even transcribe what a user says, even after the user had finished communicating with the device.

On April 25, security firm Checkmarx publicly disclosed that it has found that a malicious developer can trick Amazon’s Alexa voice assistant technology to record everything a user says.

At this time, it’s not clear if any hackers have ever exploited the flaw, which is not in the Amazon Echo hardware, but rather is an abuse of functionality in the Alexa Skills feature set. Developers can extend Alexa’s technology by building skills that provide new functionality for end users. Checkmarx found that there were several unbounded parameters that were available to Alexa skills developers that could have enabled a malicious developer to record and even transcribe what a user says, even after the user had finished communicating with the device.


</close>

Amazon fixed an exploit that allowed Alexa to listen all the time

7 May 2018 | By Rob LeFebvre

Amazon's Alexa is good at listening, since it has to be ready when you say its wake word, like "Alexa," "Echo" or "Computer." That very same feature, though, has people worried about their own privacy. Researchers from security firm Checkmarx have found a way to get Alexa to listen in and send a transcript of any conversations that it records while eavesdropping.

Amazon’s Alexa is good at listening, since it has to be ready when you say its wake word, like “Alexa,” “Echo” or “Computer.” That very same feature, though, has people worried about their own privacy. Researchers from security firm Checkmarx have found a way to get Alexa to listen in and send a transcript of any conversations that it records while eavesdropping.


</close>

Amazon has fixed a bug that allowed hackers to listen in on Alexa devices

7 May 2018 | By Kayla Matthews

Checkmarx was able to create a skill that allowed hackers to listen in on Echo devices and their users’ conversations. Amazon fixed the problem earlier this month, but the incident serves as a cautionary tale as our homes become more connected and voice assistant speakers become more common.

Checkmarx was able to create a skill that allowed hackers to listen in on Echo devices and their users’ conversations. Amazon fixed the problem earlier this month, but the incident serves as a cautionary tale as our homes become more connected and voice assistant speakers become more common.


</close>

Amazon Alexa is Hacked, Again; The Security of Users’ Personal Info Is Questioned

7 May 2018 | By Divya Nayak

As per Checkmarx Researchers, they were able to manipulate code within a built-in Alexa JavaScript library (ShouldEndSession) to pull off the hack. The JavaScript library is tied to Alexa’s orders to stop listening if it doesn’t hear the user’s command properly. Checkmarx’s tweak to the code simply enabled Alexa to continue listening, no matter the voice request order.

As per Checkmarx Researchers, they were able to manipulate code within a built-in Alexa JavaScript library (ShouldEndSession) to pull off the hack. The JavaScript library is tied to Alexa’s orders to stop listening if it doesn’t hear the user’s command properly. Checkmarx’s tweak to the code simply enabled Alexa to continue listening, no matter the voice request order.


</close>

Is Alexa spying on YOU? Security researchers reveal how the assistant’s code could be tweaked to create new ‘skill’ that lets it eavesdrop

7 May 2018 | By

Researchers at cybersecurity firm Checkmarx created what seemed to be a harmless calculator skill, or an application used for the voice-activated assistant, that would secretly record long after a user made a command.

Alexa-enabled devices are programmed to only respond and record interactions when they're prompted by a 'wake word', such as 'Echo,' 'Alexa' or 'computer'.

Researchers at cybersecurity firm Checkmarx created what seemed to be a harmless calculator skill, or an application used for the voice-activated assistant, that would secretly record long after a user made a command.

Alexa-enabled devices are programmed to only respond and record interactions when they’re prompted by a ‘wake word’, such as ‘Echo,’ ‘Alexa’ or ‘computer’.


</close>

Amazon’s Alexa had a flaw that let eavesdroppers listen in

7 May 2018 | By Alfred Ng

Alexa is a good listener -- so good, in fact, that researchers discovered a way to have it record audio indefinitely.

Amazon's smart voice assistant had a coding flaw that could have let malicious developers turn the Echo into a listening device.

Alexa, the voice assistant used by millions of smart gadgets including Amazon's popular Echo lineup, uses what it calls Skills to carry out commands. You ask if rain is coming, for example, and Alexa uses the "Weather" Skill to answer.

Alexa is a good listener — so good, in fact, that researchers discovered a way to have it record audio indefinitely.

Amazon’s smart voice assistant had a coding flaw that could have let malicious developers turn the Echo into a listening device.

Alexa, the voice assistant used by millions of smart gadgets including Amazon’s popular Echo lineup, uses what it calls Skills to carry out commands. You ask if rain is coming, for example, and Alexa uses the “Weather” Skill to answer.


</close>

Amazon’s Alexa had a slight eavesdropping flaw

7 May 2018 | By Joe Uchill

Researchers at the security firm CheckMarx discovered a security flaw in Amazon's Alexa voice enabled digital personal assistant that could have been used to eavesdrop and transcribe any ambient conversation.

But, there are caveats: The flaw requires a user to not only install, but also run a malicious app on Alexa, and not notice Alexa's trademark blue light never turns off. Amazon has now released a patch, meaning it is not an issue for up-to-date Alexa systems.

Researchers at the security firm CheckMarx discovered a security flaw in Amazon’s Alexa voice enabled digital personal assistant that could have been used to eavesdrop and transcribe any ambient conversation.

But, there are caveats: The flaw requires a user to not only install, but also run a malicious app on Alexa, and not notice Alexa’s trademark blue light never turns off. Amazon has now released a patch, meaning it is not an issue for up-to-date Alexa systems.


</close>

Flaw let Amazon Alexa record users without knowing

29 Apr 2018 | By Good Morning America

Researchers at cybersecurity firm Checkmarx say they found a flaw that could have let the smart speaker record users without them knowing it.

Researchers at cybersecurity firm Checkmarx say they found a flaw that could have let the smart speaker record users without them knowing it.


</close>