Amazon patches Alexa after researchers let speaker listen continuously via skill
Amazon has made changes to the way its Alexa assistant listens to voice commands, for example on its Echo speakers. Researchers used a skill to have a speaker listen continuously after a voice command and were thus able to overhear conversations.
The researchers, associated with security firm Checkmarx, describe their findings in a blog post and a short report. They tell Cnet that there didn’t seem to be a time limit for continuing to record sound. Their method was only noticeable to a target because the Echo speaker’s blue light stayed on, indicating that Alexa is still listening. Amazon confirms to the site that it has taken steps. According to the researchers, the company now uses criteria during the skills certification process to detect eavesdropping opportunities. Amazon also notes longer recording sessions than usual.
The researchers explain that they have developed a skill for a calculator with the Alexa SDK. Users can then ask an Alexa device to perform a certain calculation. By using, among other things, the so-called reprompt function, which the Alexa software uses if a command is not understood, they were able to let the device continue to listen even if the command was understood correctly. Also, Alexa did not say that the command was not understood, because the researchers had muted it. To eavesdrop on someone, they should have turned on the skill in question.
Developers of Alexa skills don’t get access to audio recordings, but the researchers set up their malicious app so that the skill picked up every word and saw it as input. As a result, they had access to the words in text form via a log file, they write in the report.