Checkmarx Acquires Custodela to Bring Enhanced Automation to DevSecOps Programs!

In the News

Amazon Alexa Tricked By Security Researchers To Keep Listening

7 May 2018 | By Chuck Martin

Researchers from security firm Checkmarx say they have found a way to keep Amazon’s digital assistant Alexa listening in on what is said -- and even transcribe it.

The researchers created a calculator skill for the device. When the skill was launched, the researchers asked a calculation question, which Alexa answered, based on a video by Checkmarx.

Researchers from security firm Checkmarx say they have found a way to keep Amazon’s digital assistant Alexa listening in on what is said — and even transcribe it.

The researchers created a calculator skill for the device. When the skill was launched, the researchers asked a calculation question, which Alexa answered, based on a video by Checkmarx.


</close>

Alexa Turned Spy, Able to Snoop on Users

7 May 2018 | By Kacy Zurkus

Amazon put a quick stop to an issue in Alexa’s skill set after Chexmarx researchers reported that her skill set could be expanded to listen in on users not just some of the time but all of the time.

According to a Checkmarx research paper, Alexa skills can be developed in different languages using the Alexa skill set, which integrates with the AWS-Lambda function. The personal assistant device is always listening for the user’s voice so that when recognized, Alexa is activated.

Amazon put a quick stop to an issue in Alexa’s skill set after Chexmarx researchers reported that her skill set could be expanded to listen in on users not just some of the time but all of the time.

According to a Checkmarx research paper, Alexa skills can be developed in different languages using the Alexa skill set, which integrates with the AWS-Lambda function. The personal assistant device is always listening for the user’s voice so that when recognized, Alexa is activated.


</close>

Security Researchers Created a ‘Skill’ that Allows Alexa to Spy on You

7 May 2018 | By AJ Dellinger

The vulnerability, which Amazon has since patched, was discovered by cybersecurity company Checkmarx. Experts at the firm were able to create a “skill”—Amazon’s term for an application for Alexa—that could secretly record a victim and transcribe entire conversations caught on mic.

The security researchers hid the malicious task in a seemingly innocuous calculator skill that could be used to solve math problems. Unbeknownst to any victim who installed the skill, asking Alexa to use the app would enable the attack.

The vulnerability, which Amazon has since patched, was discovered by cybersecurity company Checkmarx. Experts at the firm were able to create a “skill”—Amazon’s term for an application for Alexa—that could secretly record a victim and transcribe entire conversations caught on mic.

The security researchers hid the malicious task in a seemingly innocuous calculator skill that could be used to solve math problems. Unbeknownst to any victim who installed the skill, asking Alexa to use the app would enable the attack.


</close>

Alexa Skill Developed to Eavesdrop on Conversations, Amazon Fixes Vulnerability

7 May 2018 | By Jagmeet Singh

The researchers at cyber-security company Checkmarx hid the malicious application in a simple calculator skill that is meant to solve common mathematics problems. While Alexa is designed to process commands after hearing the "Alexa" wake word and ends the session or wait for another command for a brief moment after processing the first command, the skill in question kept it waiting long after the last communication. The skill also enabled voice recording, without informing users. All this made it possible for the researchers to silently capture conversations from Alexa.

The researchers at cyber-security company Checkmarx hid the malicious application in a simple calculator skill that is meant to solve common mathematics problems. While Alexa is designed to process commands after hearing the “Alexa” wake word and ends the session or wait for another command for a brief moment after processing the first command, the skill in question kept it waiting long after the last communication. The skill also enabled voice recording, without informing users. All this made it possible for the researchers to silently capture conversations from Alexa.


</close>

Researchers found a way to hack Amazon’s Alexa: report

7 May 2018 | By Fox News Staff

Independent Women’s Forum’s Nan Hayworth and Democratic strategist Wendy Osefo discuss the report that researchers discovered a way to hack Amazon’s Alexa.

Independent Women’s Forum’s Nan Hayworth and Democratic strategist Wendy Osefo discuss the report that researchers discovered a way to hack Amazon’s Alexa.


</close>

This ‘Skill’ Can Trick Amazon Alexa Into Eavesdropping For Hackers

7 May 2018 | By Manisha Priyadarshini

Ateam of security researchers at Checkmarx have created a “skill” that can turn Amazon’s virtual assistant Alexa into an eavesdropping device. It abuses the built-in request capabilities of the device to record your conversation indefinitely and send the transcripts to any third party website or Amazon.

Alexa has been designed to detect sound at all times to catch any voice command given by the user. It is supposed to exchange data with Amazon servers to process commands only after hearing the wake word which is most commonly ‘Alexa.’

Ateam of security researchers at Checkmarx have created a “skill” that can turn Amazon’s virtual assistant Alexa into an eavesdropping device. It abuses the built-in request capabilities of the device to record your conversation indefinitely and send the transcripts to any third party website or Amazon.

Alexa has been designed to detect sound at all times to catch any voice command given by the user. It is supposed to exchange data with Amazon servers to process commands only after hearing the wake word which is most commonly ‘Alexa.’


</close>

Amazon’s Alexa Hacked To Surreptitiously Record Everything It Hears

7 May 2018 | By Kevin Murnane

Voice-activated assistants like Amazon’s Alexa and the Google Assistant are convenient and powerful tools for getting information and carrying out tasks. They also raise privacy questions because they record their interactions with the user and are always-on waiting to hear their wake-up command. What the voice-activated assistants hear and record is limited in normal use, but the potential for abuse is a cause for concern. That potential has now been realized. Alexa has been hacked to surreptitiously record everything it can hear.

Checkmarx makes a suite of tools for developers to test the security of their software before it’s released to the public. Last January, the company exposed vulnerabilities leading to privacy breaches in the Tinder dating app. Now the researchers at Checkmarx have demonstrated how Alexa can be hacked to record what it hears.

Voice-activated assistants like Amazon’s Alexa and the Google Assistant are convenient and powerful tools for getting information and carrying out tasks. They also raise privacy questions because they record their interactions with the user and are always-on waiting to hear their wake-up command. What the voice-activated assistants hear and record is limited in normal use, but the potential for abuse is a cause for concern. That potential has now been realized. Alexa has been hacked to surreptitiously record everything it can hear.

Checkmarx makes a suite of tools for developers to test the security of their software before it’s released to the public. Last January, the company exposed vulnerabilities leading to privacy breaches in the Tinder dating app. Now the researchers at Checkmarx have demonstrated how Alexa can be hacked to record what it hears.


</close>

Researchers say they tricked Alexa into spying on them

7 May 2018 | By Steven Melendez

Researchers at security firm Checkmarx say they built a proof-of-concept skill for Amazon’s Echo devices that in theory could have voice assistant Alexa listen to, transcribe, and report what users said after they thought they had finished using a legitimate service.

They took advantage of a feature that allows a skill to extend the time it listens to users after it’s been activated if it prompts them for more information by playing an inaudible prompt. That way, their skill, which offered a simple calculator, could keep getting transcripts from Alexa of what users said without them getting any audio cue that the device was still listening. A light would likely have been visible on affected devices, Threatpost reports, but users wouldn’t notice it unless they looked at the device.

Researchers at security firm Checkmarx say they built a proof-of-concept skill for Amazon’s Echo devices that in theory could have voice assistant Alexa listen to, transcribe, and report what users said after they thought they had finished using a legitimate service.

They took advantage of a feature that allows a skill to extend the time it listens to users after it’s been activated if it prompts them for more information by playing an inaudible prompt. That way, their skill, which offered a simple calculator, could keep getting transcripts from Alexa of what users said without them getting any audio cue that the device was still listening. A light would likely have been visible on affected devices, Threatpost reports, but users wouldn’t notice it unless they looked at the device.


</close>

Researchers Find Amazon Alexa Can Be Hacked to Record Users

7 May 2018 | By Sean Michael Kerner

On April 25, security firm Checkmarx publicly disclosed that it has found that a malicious developer can trick Amazon's Alexa voice assistant technology to record everything a user says.

At this time, it's not clear if any hackers have ever exploited the flaw, which is not in the Amazon Echo hardware, but rather is an abuse of functionality in the Alexa Skills feature set. Developers can extend Alexa's technology by building skills that provide new functionality for end users. Checkmarx found that there were several unbounded parameters that were available to Alexa skills developers that could have enabled a malicious developer to record and even transcribe what a user says, even after the user had finished communicating with the device.

On April 25, security firm Checkmarx publicly disclosed that it has found that a malicious developer can trick Amazon’s Alexa voice assistant technology to record everything a user says.

At this time, it’s not clear if any hackers have ever exploited the flaw, which is not in the Amazon Echo hardware, but rather is an abuse of functionality in the Alexa Skills feature set. Developers can extend Alexa’s technology by building skills that provide new functionality for end users. Checkmarx found that there were several unbounded parameters that were available to Alexa skills developers that could have enabled a malicious developer to record and even transcribe what a user says, even after the user had finished communicating with the device.


</close>

Amazon fixed an exploit that allowed Alexa to listen all the time

7 May 2018 | By Rob LeFebvre

Amazon's Alexa is good at listening, since it has to be ready when you say its wake word, like "Alexa," "Echo" or "Computer." That very same feature, though, has people worried about their own privacy. Researchers from security firm Checkmarx have found a way to get Alexa to listen in and send a transcript of any conversations that it records while eavesdropping.

Amazon’s Alexa is good at listening, since it has to be ready when you say its wake word, like “Alexa,” “Echo” or “Computer.” That very same feature, though, has people worried about their own privacy. Researchers from security firm Checkmarx have found a way to get Alexa to listen in and send a transcript of any conversations that it records while eavesdropping.


</close>