Move over Mr. Bond, you may just have been replaced by technology, Alexa from Amazon. How is such a thing possible? Read on and see what hackers were able to accomplish with the popular appliance.
What are Alexa skills?
Think of “skills” like apps for Alexa. They are pieces of code that can be installed on Alexa to perform specific tasks. Any company can create them. One example is a skill that will get your electric use from your utility. In this case it was a calculator skill to help solve math problems.
Skills greatly enhance the usefulness of Alexa but can also be created with bad intentions at their core.
However, the hackers, white hat ones in this case, found they could get around this feature by developing a malicious skill that launched a second, unannounced session. They did this with a calculator skill. The user might say, “Alexa, what is the square root of 65?” Alexa would compute the answer while in the background, the malicious code started a second session. So, when the calculation was completed, the user would not be aware that the microphone was still active. Anything they said was being recorded and a transcript was sent to a third-party site.
Fortunately, the hackers informed Amazon and they developed additional software that searches for sessions that go on longer than they should. Also, a tell-tale sign for users would be the blue LED “active” light staying on past the time they stopped talking with Alexa. In this case, the good guys got out ahead of the bad actors.
This type of hack relies on social engineering, or in other words, getting a person to take an action that results in the skill being used. It is like clicking on links in unexpected emails or opening files. Before installing a skill, be sure to verify the source and decide if they are trustworthy. Alexa may not have a license to kill like James Bond, but she can listen in on all your conversations and sometimes, that is the perfect 00 skills for the situation.
For more information on secure communication and encryption don't forget to visit www.crip.to, before Alexa gets you.