Researchers at cybersecurity firm Checkmarx have found a way to turn an Amazon Echo (Alexa-powered) smart speaker into an eavesdropping device.
They didn't use a vulnerability in the Echo device or Alexa service, but merely used the options available in the Alexa software development kit (SDK), normally made available to Alexa app developers.
Researchers abused Alexa SDK features like skills, intents, slots, reprompts, or end session parameters. All of these are technical terms and researchers explained what they mean and how they combined them in this two-page report.
But in a simple explanation, the Checkmarx team says it used the Alexa SDK to create a calculator app that continues to listen after providing the user with a reply to the initial question.
They abused a parameter called "shouldEndSession," which they set to false, meaning the malicious calculator app would expect a second question from the user, right after the reply to the first, but without the user having to say "Alexa, open calculator."
By design, Alexa remained open and recorded surrounding audio, expecting the second question. Inherently, this meant Alexa was transcribing all audio into words stored inside so-called slots, visible to the app developer in the app's logs.
Developers also abused an Alexa SDK parameter called "reprompt," which is normally used by apps to prompt the user to repeat his input. Coupled with the "shouldEndSession" parameter that told Alexa to silently listen for the second question, this extended the recording interval by another 8 seconds to a total of 16.
The demo video below shows how such a hack would be carried out, and how hard would be for a user to spot it.
Researchers said they disclosed this exploitation scenario to Amazon Alexa developers, who worked and released protective measures.
According to researchers, Amazon rolled out an Alexa update that detects empty reprompts and longer-than-usual sessions, taking appropriate actions.
This is also not the first security flaw affecting Alexa devices. Back in September, 2017, researchers disclosed DolphinAttack, a way to take over smart home speakers like Echo using ultrasounds. Alexa was also affected by the BlueBorne vulnerability.