Security researchers have created an Alexa skill for Amazon’s popular voice assistant that allows the device to indefinitely listen to your conversations. The vulnerability has since been patched by Amazon.
The Security Researchers hid the malicious task in a calculator skill that could be used to solve math problems asking Alexa to use that skill will activate the script that will execute the hack.
When a user opens up a session in the calculator app, the app spawns another session, however it does not prompt the vocal prompt from Alexa to tell the user that the microphone is active. This attack only requires the victim to download and install the skill on their Alexa device. This is a major red flag when the victim won’t notice that Alexa is still listening.
While Alexa was designed to pick up user’s commands, the time frame of the command must be short and the device should only connect to Amazon servers to process the commands. The device’s core os must have control on how other apps work and it should be able to terminate the apps that are running for extended periods of time.
After the issue was reported, Amazon swiftly fixed the issue by killing voice sessions that exist longer than intended.
“Customer trust is important to us and we take security and privacy seriously,” a spokesperson for Amazon told Gizmodo. “We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do.”
The company must ensure that it has shut down the loopholes correctly and ensure that these malicious apps never make it into the store. furthermore, Amazon has willingly handed over data from Alexa to law enforcement.