Alexa’s Alarming New Security Hole May Not Have a Fix

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Email

Share this article

2

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

As if we needed more proof that everything, absolutely everything, can be hacked, here comes another Alexa security hole — one that allows hackers to hijack your Amazon Echo. And this time there may not be a fix for it.

Ars Technica reports on this breach: called “skill squatting," and it sounds pretty nasty.

Researchers from the University of Illinois at Urbana-Champaign (UIUC) claim that this hack is very simple to execute: Malicious hackers can create evil Alexa skills — the commands that enable your Amazon assistant to help you do stuff just using your voice —with homophones, names that sound like the names of other third-party legitimate skills. By doing that, hackers can squat over the functions of a legitimate skill, enabling them to obtain personal or financial information.

To demonstrate how this work the researchers made this demo showing how you can squat American Express’ Alexa skill to fool users into sending their private information.

A patch won’t fix it

The team also found out that the skill squating can also be triggered using words that are misinterpreted by Alexa. They did a test with 188 words and 60 different speakers. Our of the 188 words, 27 were consistently misinterpreted and, of those, some were specifically misinterpreted depending on ethnicity and gender. According to the researchers,”these words could potentially be used to target attacks against a specific demographic.”

MORE: How to Secure Your Alexa Device in 5 Simple Steps

Professor Adam Bates, director of UIUC's Secure and Transparent Systems Laboratory, told Ars that this is not going to be easy to solve, as it is dependent on the very machine learning principles that power this machines. This "isn't an 'oh, we push a patch and the problem goes away' issue,” he told the publication, “it's that we're placing our trust in the machine-learning language-processing classifier, and all machine learning classifiers are going to make errors.”

According to Bates, there's going to be problems down the line, even while Amazon told Ars that they have “measures in place” to avoid this without specifying what these are. To give you an idea to the potential dimension of this problem, in May 2018 there were 30,000 Amazon Alexa skills in the US alone.

A big problem now, and a bigger problem ahead

Seriously, I've lost count of the times that Echo’s security holes has turned it into a wiretap device. And nobody seems to be doing anything about the issue except the Europeans, who are cracking down on the nightmare that is Internet of Things, at least for those devices that are addressed to children.

But the fact is that something like Amazon Echo, Google Home, or Apple HomePod makes everyone in a home vulnerable, children and adults alike. U.S. regulatory authorities like the FCC don’t seem to be addressing this lax when it comes to privacy, much to the cheering of governmental spy agencies.

The fact is that, looking at these holes constantly popping everywhere. And As we get more dependent of listening devices and connected appliances, the problems are only going to get worse.