Latest Alexa hack shows Echo could be turned into scary spying device

27 Apr 2018

An Amazon Echo. Image: George W Bailey/Shutterstock

This week in IoT, a team of hackers finds a way to make Alexa record everything it hears, while IBM is working on a new blockchain solution.

Earlier this year, Amazon’s Echo smart assistant creeped a lot of people out with its Alexa software’s spontaneous laugh catching many users off guard, wondering what exactly Amazon had built into its device.

But now, a new vulnerability could turn the device used to order shopping and find out what the weather is, into one that can listen to and record everything you say.

According to Forbesthe discovery was made by a company called Checkmarx, whose tools test the security of soon-to-be released software.

The hack exploits Alexa’s in-built function to listen out for follow-up commands from the user – for example, it might ask did you mean pm or am when you asked to set an alarm for a certain time.

Gaining access was relatively simple as the team just installed malicious code into a seemingly innocent app – in this case, a calculator.

While Alexa (and the apps it uses) would have a list of words or phrases that would allow it to remain listening for a follow-up question, the Checkmarx team found a way for Alexa to accept any word.

And, hey presto, it records everything. But, thankfully, it has now been fixed.

Responding to the hack, Amazon said: “Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behaviour reported by Checkmarx.”

US to put sensors on allies’ satellites for their protection

An interesting story this week reported by Defense One said that the US Air Force is planning to put sensors on a number of satellites operated by its allies – not only to get them up into space quicker, but to safeguard itself in the event of an attack.

The comments were made by the air force’s secretary, Heather Wilson, at the National Space Symposium. She said that by putting its sensors on other nations’ satellites, it would act as a deterrence while protecting the nations’ space assets.

It also helps that by spreading itself out further than its own satellites, it is no longer reliant on its own network, which could, for whatever reason, be compromised.

In a video released for the conference, a less-than-subtle warning was issued about “revisionist world powers” – referring to Russia and China – that want to challenge the US for dominance of Earth’s orbit.

Wilson argued that the shared spread of sensors helps defend the US because “taking out a satellite isn’t easy for them because it’s distributed, or because there are backups that are operated on satellites that belong to other countries”.

She added: “So, if you pick a fight with me, you got to pick a fight with my brother, too. That creates resilience inherent in the design of the system.”

IBM wants to reimagine IoT in blockchain

IBM has a close relationship with blockchain technology, and now it plans to find a way for IoT networks to securely execute blockchain-based smart contracts, according to CoinDesk.

In a new patent application, the tech giant explained that “one example method of operation may include determining a proof-of-work via a device and using a predefined set of nonce values when determining the proof-of-work, storing the proof-of-work on a blockchain and broadcasting the proof-of-work as a broadcast message.”

One of the biggest problems for an IoT blockchain solution is that devices in the network are unlikely to be able to handle the processing power needed for mining, and could be compromised quite easily, too.

IBM’s solution then is to limit the amount of one-time-use numbers to a defined range of devices and “provide equal chances of successful completion of proof-of-work to all IoT devices in the network”.

An Amazon Echo. Image: George W Bailey/Shutterstock

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com