Alexa’s Alarming New Security Hole May Not Have a Fix

As if we needed more proof that everything, absolutely everything, can be hacked, here comes another Alexa security hole — one that allows hackers to hijack your Amazon Echo. And this time there may not be a fix for it.

Ars Technica reports on this breach: called “skill squatting," and it sounds pretty nasty.

Credit: Tom's Gudie

(Image credit: Tom's Gudie)

Researchers from the University of Illinois at Urbana-Champaign (UIUC) claim that this hack is very simple to execute: Malicious hackers can create evil Alexa skills — the commands that enable your Amazon assistant to help you do stuff just using your voice —with homophones, names that sound like the names of other third-party legitimate skills. By doing that, hackers can squat over the functions of a legitimate skill, enabling them to obtain personal or financial information.

To demonstrate how this work the researchers made this demo showing how you can squat American Express’ Alexa skill to fool users into sending their private information.

A patch won’t fix it

The team also found out that the skill squating can also be triggered using words that are misinterpreted by Alexa. They did a test with 188 words and 60 different speakers. Our of the 188 words, 27 were consistently misinterpreted and, of those, some were specifically misinterpreted depending on ethnicity and gender. According to the researchers,”these words could potentially be used to target attacks against a specific demographic.”

MORE: How to Secure Your Alexa Device in 5 Simple Steps

Professor Adam Bates, director of UIUC's Secure and Transparent Systems Laboratory, told Ars that this is not going to be easy to solve, as it is dependent on the very machine learning principles that power this machines. This "isn't an 'oh, we push a patch and the problem goes away' issue,” he told the publication, “it's that we're placing our trust in the machine-learning language-processing classifier, and all machine learning classifiers are going to make errors.”

According to Bates, there's going to be problems down the line, even while Amazon told Ars that they have “measures in place” to avoid this without specifying what these are. To give you an idea to the potential dimension of this problem, in May 2018 there were 30,000 Amazon Alexa skills in the US alone.

A big problem now, and a bigger problem ahead

Seriously, I've lost count of the times that Echo’s security holes has turned it into a wiretap device. And nobody seems to be doing anything about the issue except the Europeans, who are cracking down on the nightmare that is Internet of Things, at least for those devices that are addressed to children.

But the fact is that something like Amazon Echo, Google Home, or Apple HomePod makes everyone in a home vulnerable, children and adults alike. U.S. regulatory authorities like the FCC don’t seem to be addressing this lax when it comes to privacy, much to the cheering of governmental spy agencies.

The fact is that, looking at these holes constantly popping everywhere. And As we get more dependent of listening devices and connected appliances, the problems are only going to get worse.

Jesus Diaz

Jesus Diaz founded the new Sploid for Gawker Media after seven years working at Gizmodo, where he helmed the lost-in-a-bar iPhone 4 story and wrote old angry man rants, among other things. He's a creative director, screenwriter, and producer at The Magic Sauce, and currently writes for Fast Company and Tom's Guide.