Amazon’s Alexa is a virtual assistant that can be accessed through mobile devices or the Amazon Echo speaker. On mobile devices, the assistant is activated by the push of a button. However, in the Echo implementation, an activation word, such as “Alexa,” brings the tool out of sleep mode and makes it available to act on command. This is a security problem that may lay you open to victimization by hackers.
Alexa is able to control the smart gadgets in your home, including altering your thermostat settings, turning on lights, turning on a smart microwave, and changing the TV channel. It can turn your smart security cameras off, turn your indoor webcams on, open your smart lock, and turn off your security alarm.
Skills for Hackers
The only problem with the ever-increasing scope of Alexa is that it also opens up the possibility of malicious outsiders to manipulate it to ruin your life. The tool can be set up to access your bank account and it is able to silently open web pages and log into other online accounts at your request. In these cases, you need to set up the assistant so it stores your login credentials. However, once those details are stored, they are potentially available to others who can get access to your Amazon Echo.
Voice recognition could be a good way to block people from breaking into your house, speaking commands to Alexa and accessing your bank account. However, hackers don’t need to enter your house in order to talk to Alexa, and they could very easily sample your voice through a fake telephone sales call and use an emulator to duplicate it. Another option open to hackers is to programmatically set up a new voice imprint, even replacing your voice recognition so you get locked out while they can get in.
Hackers could access all of the functions of Alexa from a remote location, but how can they broadcast voice commands to your Amazon Echo? Maybe they could call your answering machine while you are out and hope that the speaker is turned on. However, very few people have physical answering machines these days, using network voicemail instead.
Thieves don’t need to enter your house or speak to your Alexa over a phone connection because they can use inaudible methods to communicate with it.
Just because you can’t hear something doesn’t mean that there is no sound. For example, everyone knows about dog whistles, which humans can’t hear but dogs can. There are sounds that are out of the range of human hearing. However, they are still sounds and they still exist. Computers can hear those sounds that humans cannot. These types of sounds are called “ultrasonic,” and they can be used to issue commands to your Alexa while you are at home, without you hearing them.
The idea that hackers would use inaudible sound to send commands to your Alexa seems far-fetched. However, the technology has already been proven. Researchers at Zhejiang University in China designed the Dolphin Attack. This uses ultrasonic messages that were picked up by a range of virtual assistants, including Amazon Alexa, Google Now, and Siri.
Ultrasonic messages can be embedded into audible sound recordings. The presence of other sounds does not cancel out or confuse the message in the ultrasonic track. So while you are listening to a song on your Amazon Echo, secret messages embedded in that music could be accessing your bank account.
Phishing and Trojans
Hackers send out millions of scam emails every day. These are automated processes that hope to gain an initial contact with anyone. This technique is called “phishing” and gives hackers access to the details of strangers. Maybe only one in a thousand recipients ever responds to these scams, but once you do, they have you.
Another hacker technique is the Trojan. This is an access program that you download to your computer. No one ever wants to get malware on their computer, but they unwittingly install it because it is attached to a utility you want or is embedded in a picture or a PDF file you intentionally downloaded. A Remote Access Trojan (RAT) enables the hacker to subsequently access your computer and load more malware and spyware to it.
Ultrasonic Alexa hackers would use similar methods to control your Alexa. Commands could be embedded into a funny Facebook video or an eCard. While you play the innocent-looking recording on your computer, your Alexa would pick up the secret ultrasonic commands and act.
How to Protect Yourself
There are many channels for hackers to get ultrasonic commands into your home so they are picked up by your Alexa. This technique isn’t just an Alexa vulnerability, but could be used to attack any voice-activated device.
The easiest way to combat this risk is to turn off the microphone on your virtual assistant until you want to use it.