A malicious proof-of-concept Amazon Echo Skill shows how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices – and automatically transcribe every word said.
Checkmarx researchers told Threatpost that they created a proof-of-concept Alexa Skill that abuses the virtual assistant’s built-in request capabilities. The rogue Skill begins with the initiation of an Alexa voice-command session that fails to terminate (stop listening) after the command is given. Next, any recorded audio is transcribed (if voices are captured) and a text transcript is sent to a hacker. Checkmarx said it brought its proof-of-concept attack to Amazon’s attention and that the company fixed a coding flaw that allowed the rogue Skill to capture prolonged audio on April 10.
Latest posts by Arden Rubens (see all)
- Uses CxSAST to Develop Secure Software - May 17, 2018
- CxSAST for Amazon Web Services - May 15, 2018
- Amazon’s Alexa could be tricked into snooping on users, say security researchers - May 7, 2018