Security personnel recently discovered that Alexa, Amazon’s voice assistant, can be turned into a monitoring tool. Because its microphone can be in listening state, it is used to receive various kinds of sound information. However, the device is not activated at all times; Instead, it’s in sleep mode until the user says “Alexa” and by default, it ends a session after a period of time. Under the default setting, the microphone monitoring function will be automatic after a period of time.
Amazon has opened some of Alexa’s APIs, and developers can use these APIs to develop various extended-feature applications. Recently, Checkmarx’s security staff developed an application that forcibly turned on the device’s unrestricted mic monitoring function to listen to the user’s various conversations and then transmit these conversations to third-party websites.
This application is disguised as a voice calculator. Once installed, the user just says “Alexa, start calculator” and it will open in the background of the device. When the device’s calculator is turned on, the API\Lambda function used by the calculator will also open another input process. In the video, this process is turned on and does not tell the user’s device that the microphone is still listening. In the default state, Alexa will automatically stop the monitoring process of the microphone or will remind the user need to speak voice commands to keep the device microphone listening.
This malicious application can turn on the mic monitoring function without the user’s knowledge after the end of the previous device activity process. Of course, because the Amazon Echo device is in the monitor state of the microphone, the indicator light is blue, and as long as the user notices this, he can still find the abnormality of the device.
Checkmarx has reported this issue to Amazon. This malicious application has already been removed from the official app store. Last year, the Amazon Echo device was exposed as a spy tool that could be exploited by hackers to listen to users.
