Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker.
Checkmarx gave Amazon advance notice of the defect they exploited and Amazon has issued a patch; this is the second such flaw known to have been discovered in the Alexa platform. It's not known how many more such defects remain in the platform, or will be introduced in future versions.
Checkmarx did not attempt to get its poisoned skill approved for the Alexa store, so it's not known whether Amazon's internal checks would have detected it. The attack did have a critical weakness: Alexa's blue "listening light" illuminated while it was running; but as the team pointed out, the point of Alexa is that you can use it without looking at it.
One challenge for researchers was the issue of the “reprompt” feature in Alexa. Reprompts are used by Alexa if the service keeps the session open after sending the response but the user does not say anything, so Alexa will ask the user to repeat the order. However, Checkmarx researchers were able to replace the reprompt feature with empty reprompts, so that a listening cycle starts without letting the user know.
Researchers Hacked Amazon’s Alexa to Spy On Users, Again [Lindsey O'Donnell/Threatpost]
(Image: Cryteria, CC-BY)