1(630)802-8605 Ravi.das@bn-inc.net

As I have described in a previous blog, the Smartphone has become an extension of both our professional and personal lives.  We literally cannot live without them, and if ours gets lost or stolen, a deep feeling of paralysis sets in.  Well, there is yet another component of the Smartphone, if you are a savvy enough user, of which you become addicted to pretty quickly.  This is what is known as the “Virtual Personal Assistant”.

For the Android users, the VPA is known as “Siri” and for the iOS, the VPA is known as “Cortana”.  Amazon also make their brand of VPA known as “Alexa”.  Essentially, as the name implies, these Virtual Assistants that are supposed to make our every day lives easier, by tending to our daily needs.

Over time, the technology has become smart enough so that it learns our behavior, and from there builds a profile on us.  It anticipates what our needs and wants are on a daily basis, and from there they then provide the relevant solutions and answers.

For example, if we are driving somewhere, depending upon the type of profile that they have built upon us, any of these VPAs that you may be using will then provide appropriate driving directions, good places to eat, cafes, etc.

Sounds good, right? In theory, and in reality for the most part, yes.  But these VPAs also come with their slew of security vulnerabilities as well.  I have written a series of articles on this for one of my clients, and I will share them with you y’all later on.

But, let us move on to the latest security vulnerability found in Alexa.  Security researchers at the Cyber security firm known as “Checkmarx” have discovered a new hack that can turn Alexa into a 24 X 7 X 365 listening device, even without you knowing about it.

The component that has been tampered with is known as “Echo”.  Apparently, Echo is not activated all the time; rather it has a voice activated functionality and after a period of non use, it goes dormant until its end user activates it again with his or her voice.

The security flaw:  Echo now does not need a need a human voice to be activated; rather any sound will activate it (such as clapping your hands, or even your dog barking) will activate, and secretly record conversations you are having with other people around or even as you talk on your phone.

But it doesn’t end here.  Supposedly, Echo can then send transcripts of your conversations and send them over to third parties, such as advertising agencies and from there, send you unwanted and annoying pop up ads in Smartphone web browser.

Apparently, the entry point in Echo for all of this to happen is the calculator app.  If you simply say “Alexa, open calculator”, the app will of course launch instantaneously, and from there, start the covert conversation recording.  In technical terms, “The calculator skill is initialized, and the API\Lambda-function that’s associated with the skill receives a launch request as an input.”  (SOURCE:  https://thehackernews.com/2018/04/amazon-alexa-hacking-skill.html).

The full technical  report on this security flaw can be downloaded here at this link:

https://thehackernews.com/2018/04/amazon-alexa-hacking-skill.html

But apparently, this is not entirely a full proof hack.  It can be easily detected if you notice that the blue light on Echo remains on longer after you are done chatting with it.  Checkmarx has reported this security flaw to Amazon, and is currently working on a fix for it.  In the meantime, Amazon is also closely scrutinizing any other fake app that resembles this calculator app and rejecting it completely from being put onto its downloadable store.

It should be noted that this is not the latest security flaw in Echo, and another team of security researchers at  MWR InfoSecurity found other tech savvy ways to turn Echo into a covert  listening device as well.  Further details on this can be found at this link:

https://thehackernews.com/2017/08/hacking-amazon-echo-spying.html

My thoughts?  Well, I am glad that security researchers  are literally breaking apart these VPAs to see what their unknown security vulnerabilities are .  Really, this is the only to stay ahead of the Cyber attacker.  But on the flip side, for every vulnerability that becomes known to the public, this is just one more ammunition in the toolkit of the Cyber attacker to develop other types of stealthy attacks.

As for me, I really have no intention to use a VPA.  I don’t see the need for it, and honestly, I think of them more as a way in which you can be hacked into.  I am not huge a fan of all of the latest and greatest Smartphone technology.

Rather,  I have a simple iPhone 5, and have only one mobile app on it to check my email on.  That’s primarily what I use it for.  As the old adage goes, the keep it simple, keep it easy, and as a result, your life will be made more secure.