Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker.
Checkmarx gave Amazon advance notice of the defect they exploited and Amazon has issued a patch; this is the second such flaw known to have been discovered in the Alexa platform. It's not known how many more such defects remain in the platform, or will be introduced in future versions.
Checkmarx did not attempt to get its poisoned skill approved for the Alexa store, so it's not known whether Amazon's internal checks would have detected it. The attack did have a critical weakness: Alexa's blue "listening light" illuminated while it was running; but as the team pointed out, the point of Alexa is that you can use it without looking at it.
One challenge for researchers was the issue of the “reprompt” feature in Alexa. Reprompts are used by Alexa if the service keeps the session open after sending the response but the user does not say anything, so Alexa will ask the user to repeat the order. However, Checkmarx researchers were able to replace the reprompt feature with empty reprompts, so that a listening cycle starts without letting the user know.
Researchers Hacked Amazon’s Alexa to Spy On Users, Again [Lindsey O'Donnell/Threatpost]
(Image: Cryteria, CC-BY)
We had a hell of an event last night at The Strand in NYC, and I'm about to head to the airport for my flight to Toronto for tonight's event at the Metro Reference Library, hosted by the Globe & Mail's Barry Hertz; then it's Chicago's C2E2 festival and then to Berkeley for an event […]
Thanks to everyone who came to last night's launch event at San Diego's Mysterious Galaxy! The next stop on my tour is an event at 7PM at The Strand in NYC where I'll be appearing with the award-winning investigative journalist Julia Angwin, who is pinch-hitting for Anand Giridharadas, who has had a family emergency.
[Editor's note: Gigapixel panorama impressario Jeffrey Martin (previously) offers us "an eye full from Eiffel" in this astounding gigapixel pano of Paris -Cory] I shot this gigapixel photo in autumn 2018 from the top of the Eiffel Tower. Using an SLR camera and a variety of telephoto lenses, I shot a few thousand photos from […]
If you’re a Mac user, you thrive on simplicity. Everything in its place and a place for everything. Unsurprisingly, there’s a ton of great organizational apps out there for Mac, and now someone’s had the great idea to bundle them all together. Whether you’re running a demanding business or just getting through the day to […]
Seems like drones are doing a lot of jobs these days, from reconnaissance to delivery. Now, we can add “keeping the Death Star safe” to that list. Whether you’re a drone enthusiast or a Star Wars fan, these Star Wars Propel Drones are undeniably the coolest toy around. Yes, that’s a fully functional drone replica […]
It’s spring clearance time for the Boing Boing Store, when some of the best deals from the holidays return even cheaper than before. From top-rated apps to educational software to the cutest record player of all time, they’re all back with a little extra incentive. Shop your heart out before tax season wraps up! Use […]