기술백서

Checkmarx | Amazon Alexa Has Got Some Serious Skills—Spying On Users!

페이지 정보

작성자 최고관리자 작성일18-07-19 10:28 조회520회 댓글0건

본문

  

이스라엘 애플리케이션 보안 기업인  체크막스(Checkmarx)사의 연구원들에 의해 아마존의 인공지능 음성 어시스턴트인 알렉사(Alexa)를 어뷰징해서 사용자를 도청하는 것이 가능하다는 사실이 밝혀졌다.

 

"Alexa, are you spying on me?" — aaaa.....mmmm.....hmmm.....maybe!!!
 
 Security researchers have developed a new malicious 'skill' for Amazon's popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device.
 
 Amazon Echo is an always-listening voice-activated smart home speaker that allows you to get things done by using your voice, like playing music, setting alarms, and answering questions.
 
 However, the device doesn’t remain activated all the time; instead, it sleeps until the user says, "Alexa," and by default, it ends a session after some duration.

 

 

 

Amazon also allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap.
 
 However, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven 'skill' for Alexa that forces device to indefinitely record surround voice to secretly eavesdrop on users’ conversations and then also sends the complete transcripts to a third-party website.

 

Disguised as a simple calculator for solving maths problems, the malicious skill, if installed, immediately gets activated in the background after a user says "Alexa, open calculator."

 

 

 

In a video demonstration, researchers show that when a user opens up a session with the calculator app (in the background), it also creates a second session without verbally indicating the user that the microphone is still active.

 

 

 

By design, Alexa should either end a session or ask the user for another command to keep the session open. However, the hack could allow attackers to keep the second session active for spying on users while ending the first when user interaction get overs.
 
 Luckily, you can still spot the spy red handed if you notice the blue light on your Echo device activated for a longer period, especially when you are not chit-chatting with it.
 
 Checkmarx reported the issue to Amazon, and the company has already addressed the problem by regularly scanning for malicious skills that "silent prompts or that listen for unusual lengths of time" and kicking them out of their official store.
 
 It's not the first Alexa hack demonstrated by the researchers. Last year, a separate group of researchers at MWR InfoSecurity showed how hackers could turn some models of Amazon Echo into the covert listening device.

 

댓글목록

등록된 댓글이 없습니다.