Security News Turning an Echo Into a Spy Device Only Took Some Clever Coding

[LASER_oneXM]

Content source

https://www.wired.com/story/amazon-echo-alexa-skill-spying/

It's important not to overstate the security risks of the Amazon Echo and other so-called smart speakers. They're useful, fun, and generally have well thought-out privacy protections. Then again, putting a mic in your home naturally invites questions over whether it can be used for eavesdropping—which is why researchers at the security firm Checkmarx started fiddling with Alexa, to see if they could turn it into a spy device. They did, with no intensive meddling required.
The attack, which Amazon has since fixed, follows the intended flow of using and programming an Echo. Because an Echo's mic only activates to send sound over the internet when someone says a wake word—usually "Alexa"— the researchers looked to see if they could piggyback on one of those legitimate reactions to listen in. A few clever manipulations later, they'd achieved their goal.

In fact, the researchers used an attack technique more common in mobile devices to carry off their eavesdropping. Whereas on a smartphone you might download a malicious app that snuck into, say, the Google Play Store, the researchers instead created a malicious Alexa applet—known as a "skill"—that could be uploaded to Amazon's Skill Store. Specifically, the researchers designed a skill that acts as a calculator, but has a lot more going on behind the scenes. (The Checkmarx team did not actually make their skill available to the general public.)

 

[ForgottenSeer 58943]

If it connects to the internet it can be used to spy. Microphone or otherwise.

One must be careful not only what the connect, but the amount of things they connect and whether or not if they MUST connect them.

 

[Deleted member 65228]

The 'Amazon Echo' was turned into a spy device by security researchers? No way!

I'm not trying to be funny but the 'Amazon Echo' already IS a spy device... it's like me trying to turn Windows 10 into Windows 10, or an apple into an apple.

All you need to do to turn an 'Amazon Echo' into a spy device is purchase one. Mission accomplished.