Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker.
Checkmarx gave Amazon advance notice of the defect they exploited and Amazon has issued a patch; this is the second such flaw known to have been discovered in the Alexa platform. It's not known how many more such defects remain in the platform, or will be introduced in future versions.
Checkmarx did not attempt to get its poisoned skill approved for the Alexa store, so it's not known whether Amazon's internal checks would have detected it. The attack did have a critical weakness: Alexa's blue "listening light" illuminated while it was running; but as the team pointed out, the point of Alexa is that you can use it without looking at it.
One challenge for researchers was the issue of the “reprompt” feature in Alexa. Reprompts are used by Alexa if the service keeps the session open after sending the response but the user does not say anything, so Alexa will ask the user to repeat the order. However, Checkmarx researchers were able to replace the reprompt feature with empty reprompts, so that a listening cycle starts without letting the user know.
Researchers Hacked Amazon’s Alexa to Spy On Users, Again [Lindsey O'Donnell/Threatpost]
(Image: Cryteria, CC-BY)
Making a Turing machine is a kind of nerd rite of passage, like manually editing your X11 settings or building a two-second time-machine. As far back as 2005, we were chronicling the adventures of Lego Turing-machine builders (the state of the art advanced rather a lot by 2012), as well as the ongoing effort to […]
The bookends ($79) are the clear winner here, but the robot hand tankard ($58) is pretty sweet too; they're made of painted resin (with a stainless steel insert in the tankard), pre-order now for July shipping. (via Geekologie)
Edgeryders -- "a company living in symbiosis with an online community of thousands of hackers, activists, radical thinkers and doers, and others who want to make a difference" -- is offering up to EUR10,000 bursaries (along with travel subsidies) for fellows who are contributing to its work on an "Human-Centric Internet." The deadline to apply […]
If you’re into tools or gadgets, Memorial Day weekend is your Christmas. Take an extra 15% off the final price of these DIY accessories – all of which are already on sale – by entering the promo code WEEKEND15. LUXJET Universal 24-in-1 Magnetic Screwdriver Set & Repair Kit This small but sturdy kit won the […]
If you can build a cloud infrastructure, you can build a business. Companies are overwhelmingly turning to cloud computing to set up or bolster their network, and it’s easy to see why. It allows on-demand access to processing power, a la carte services, and nearly unlimited storage, all without adding extra systems and the maintenance […]
Does your gaming setup need an upgrade? No need to wait for Christmas. We’ve rounded up the latest tech accessories for your favorite video game platforms. All of them are already sale priced, but you can knock an additional 15% off the final price for Memorial Day by using the online code WEEKEND15. Audeze Mobius […]