What could possibly go wrong with intelligent assistants constantly listening to you?
Sophos said:Getting an Amazon Echo app to silently eavesdrop on you
In news that will surely be a surprise to nobody, apps that run on Amazon’s home assistant, Echo, can be turned into silent eavesdroppers: no fancy hacking required, no new Echo vulnerability pried open.
Or at least they could, until Amazon fixed it.
Researchers at information security firm Checkmarx demonstrated what we probably all suspected was possible but hoped wasn’t by tweaking options in Alexa’s software development kit (SDK) – the kit that’s used to develop software, known as skills, for the Echo.
The voice-activated skills are the equivalent of the apps on your phone: discreet bits of software that add capabilities to the device. There are skills for finding open restaurants near you, getting Starbucks started on your coffee order, checking your bank balance, hearing the latest news and turning on the Christmas lights.
And on somebody’s desk at Checkmarx, there’s one for eavesdropping on you. It silently captures transcripts of what you’re saying and sends them to an external log accessible to the researchers who rigged the trap.
Wired said:Turning an Echo Into a Spy Device Only Took Some Clever Coding
"We actually did not hack anything, we did not change anything, we just used the features that are given to developers," says Erez Yalon, the head of research at Checkmarx. "We had a few challenges that we had to overcome, but step by step it happened."
In fact, the researchers used an attack technique more common in mobile devices to carry off their eavesdropping. Whereas on a smartphone you might download a malicious app that snuck into, say, the Google Play Store, the researchers instead created a malicious Alexa applet—known as a "skill"—that could be uploaded to Amazon's Skill Store. Specifically, the researchers designed a skill that acts as a calculator, but has a lot more going on behind the scenes. (The Checkmarx team did not actually make their skill available to the general public.)