“Alexa, find me a Tuna Pesto Pasta recipe…”
Isn’t it so convenient to have everything done for you?
Amazon Alexa makes the daily life of millions of people around the world easier in many ways.
But it sometimes brings trouble to the users’ homes as well…
Read on to learn:
- How secure Amazon Alexa is.
- How hackers use Amazon skills to hack.
- What’s the biggest risk of Amazon Sidewalk.
- 10 shocking security facts about Amazon Alexa.
- And much much more…
Can Alexa be hacked?
Alexa can be hacked in various ways. Most commonly by hijacking Wi-Fi routers and creating false Amazon skills. Through false skills, hacking can happen either by voice squatting or code alterations. In extreme cases, it can also be by activating the device using laser lights and frequencies.
10 shocking Alexa security facts
#1: Hackers can build Amazon skills under false names
Users can do many things with Alexa because of the third-party apps running on its platform. Some examples of these are Spotify, Allrecipes, Headspace, and Best Buy. Amazon refers to these apps as “Amazon skills.”
In 2021, Alexa has gained over 100,000 skills since its first launch.
“That’s a lot! How does Amazon validate each one?”
That’s the question many have been asking as well.
Yes, Amazon has specific requirements in creating a custom skill. But some researchers managed to find loopholes in it.
In a recent study, researchers managed to create skills under some company names.
The researchers sent the paper to Amazon. Yet, Amazon insisted that they’re vetting process is well secured.
Was it really secured given the research results?
#2: Users information can be collected through voice squatting
Some hackers send phishing attacks through voice squatting, also known as skill squatting.
Voice squatting is developing systematic errors to lead users to false sites.
“But how can attackers perform phishing activities within Amazon’s system?”
According to a 2018 research, attackers can create false Amazon skills. And duplicate evocative phrases of popular third-party apps.
In this way, they can lead users to phishing sites and ask for sensitive information.
Alexa relies on speech recognition. And it can sometimes pick up incorrect words.
“How does it actually happen?”
Attackers can use the misheard spellings of invocative phrases of other apps. For example, they can use “Citybank” to mimic “Citibank.”
When a user says “Alexa, open Citibank.” Alexa will open either the Citibank app (real banking app) or Citybank app (phishing app).
When a user enters a false site, that’s when hackers ask for bank information, unsuspiciously.
Read also: Alexa Device Is Unresponsive: 16 Causes & Fixes
#3: Skill developers can still alter backend codes
Amazon reviews and validates certificates of custom skills. This prevents attackers from hijacking the system.
Yet, the same researchers from Ruhr-Universität Bochum found another Alexa vulnerability on.
According to their study, developers can alter their backend codes even after approval.
That means attackers can disguise themselves as legitimate companies or developers. Then, later on, change their backend codes to trick Alexa users.
#4: Most Amazon skills have undisclosed privacy policies
The privacy policy is a document that lets users know how developers collect and use their data.
To ensure users’ privacy, developers are usually required to publish their privacy policy.
But not Amazon…
Amazon encourages but doesn’t require skilled developers to submit privacy policies. Making their users’ privacy at risk.
In the same study, researchers found out that only 28.5% of Amazon skills have valid privacy policies. And only 13.6% of kid-focused skills have privacy policies published.
It seems like user privacy isn’t Amazon’s top priority at all.
#5: Alexa can follow commands from anyone
Unlike other popular voice assistants, Amazon Alexa doesn’t have voice-recognition authentication.
Meaning, anyone who says “Hey, Alexa!” can set commands. And that includes people from outside your home.
In fact, according to a 2020 research, Alexa is more likely to pick up words from unclear dialogues.
So, if someone is trying to get in your house or access your linked accounts, they can easily command Alexa. Especially if your smart speaker is near any openings in your house.
Important to remember: This is why tech experts advise users to not link their bank accounts and home security systems to smart speakers.
#6: Amazon employees do manual transcriptions
Call Alexa however you want – computer, robot, or a genius.
At the end of the day, Alexa is still managed and controlled by actual humans.
In a 2019 Time report, seven previous Amazon employees exposed how Amazon hires people to manually transcribe voice recordings from Alexa.
According to them, thousands of employees from Boston, Romania, India, and Costa Rica listen to and review audio clips every day. Each person parses about 1000 clips per shift.
They pick up certain keywords and phrases to add to Amazon’s system. This is done to improve Amazon’s algorithm and advertising tactics.
“That means there’s one person who listens to my recording every day?”
Actually, it can be more than one person. According to them, employees have internal chat rooms where they share recordings.
They send recordings to other reviewers to help them with parsing. But sometimes, just to share interesting or disturbing audio clips.
Amazon answered saying that only a small percentage undergo review. And they do this to improve their natural language understanding and speech recognition system.
Amazon clarified that reviewers don’t have access to any other users’ information. But investigations revealed that reviewers can see a user’s first name, account number, and device’s serial number.
While this doesn’t necessarily expose users to hackers, reviewers may find ways to collect other information about the users. Especially knowing that some of these reviewers work within contracts.
You might also like: What is Alexa’s self-destruct code?
#7: Amazon Echo can be hacked via your Wi-Fi router
Aside from creating Amazon Skills, attackers hack Alexa by hijacking Wi-Fi networks.
In 2017, researchers published a paper on how Amazon devices are vulnerable to KRACK.
Key Reinstallation Attack (KRACK) is a server play attack in Wi-Fi networks. Specifically on WPA2 standard networks, which was commonly used at that time.
Researchers have found that specific Amazon devices are vulnerable to two KRACK attacks. For once, these attacks can intercept passwords and session cookies, and a further break-in.
Although the researchers stressed that these attacks can’t be easily performed. Plus, Amazon has then enhanced their security system to address this vulnerability.
#8: Amazon Sidewalk shares your network with your neighbors
On June 8, Amazon launched Amazon Sidewalk.
It’s a special program that helps easily connect smart devices outside your home to a Wi-Fi network.
It works by making certain Amazon devices such as Echo and Ring to act as the middleman between the two.
Amazon described it as a community-shared network. As other users, especially your neighbors, can connect to your bridge.
This is where tech experts and researchers are a little wary.
Although Amazon ensures that users’ privacy is protected, experts still warn users. As this technology is new and there’s no published research yet about it.
Internet-enabled devices are prone to hacking via Wi-Fi networks. So, sharing your internet network to your neighbors might not be a good idea.
There’s another thing that concerns experts about Amazon Sidewalk. And that’s users won’t know if someone connects to their bridge.
Sure, users connected to your bridge won’t know information about you either. But it’s still a little unsettling not knowing who you’re sharing networks with.
Since Amazon Echo is directly involved, it would be easier to collect or tamper information once hacked.
Amazon Sidewalk being a default program is also a red flag.
“I don’t want it! Why can’t Amazon just sell it as a separate program?”
No one knows either.
Experts advise users to opt out if they’re not yet confident about Amazon Sidewalk’s security system.
#9: Laser lights can wake Amazon Alexa
In late 2019, Takeshi Sugawara and his team published a study explaining how laser-powered lights can activate smart speakers, including Alexa.
Their team studied the possibility of how converting light to sound can activate smart speakers, in various scenarios.
According to their research, lasers can be used by attackers to set commands remotely.
In fact, aiming the laser to the smart speaker’s microphone 250 ft. (76.2 m) away from the device works as well.
When this happens, attackers can access your other smart devices including your home security functions. This is especially true, knowing that Alexa lacks voice-recognition authentication.
It sounds alerting, but you won’t have to worry as doing this won’t be easy as well.
To successfully activate Alexa, the laser light should pass through a clear path. Meaning, there shouldn’t be walls, glass, or curtains in between.
In short, attackers would need to be in close proximity.
Watch this video to know more about how lasers can activate Alexa:
#10: Hackers can set commands using frequencies
In extreme cases, hackers can also activate Alexa using frequencies.
This is called the Dolphin Attack.
Unlike lasers, you can’t see or hear ultrasound frequencies. And that makes it harder to detect.
“But Alexa is voice-activated. How can it happen?”
Well, voice-activated devices turn out to be able to hear and interpret frequencies. They’re designed to identify and understand frequencies. Even those that are inaudible to humans.
With this, hackers can hijack your device unsuspiciously and remotely.
Hackers can send frequencies through videos or broadcasts. Depending on how creative the hackers are.
According to one study, Alexa can interpret inaudible voice commands up to 2-3 meters away from the device.
Again, this is possible as Alexa lacks voice-recognition authentication.
How secure is Alexa?
Compared to other voice assistants, Alexa is the most studied program. Many researchers around the world reviewed its security functions as Alexa is the most used voice assistant worldwide.
According to the latest reports, Amazon Alexa has 40 million uses in the United States alone. Plus, about 70% of smart users in the US use Alexa.
Six years after its launch, Alexa remains the most dominant voice assistant program in the world.
Because of that, many researchers have focused on reviewing and studying Amazon Alexa’s security system. As they believe that the more devices sold, the more cyberattack threat it potentially carries.
As you can see, Alexa has its own shares of vulnerabilities. Like the lack of voice recognition authentication on older models. Not to mention, Amazon’s disregard to users’ privacy.
But these researchers have become a way for Amazon to tighten and enhance their security system.
As of October 2021, Amazon has added features and functions that were lacking in their previous device generations.
“What are Alexa’s new privacy and security features?”
First, Amazon Alexa now has a voice-recognition authentication system.
By creating your voice profile, you’re helping Alexa personalize its responses to you as well. With this, you can limit access to your personal accounts and apps. Such as work email, bank accounts, and calendar.
Second, users who use Amazon Echo with cameras can now enable Visual ID.
Similar to voice-recognition authentication, Visual ID detects your profile to personalize its responses. However, this feature is only available to newer generations.
Third, the new release of smart speakers allows users to opt-out in reviewing their voice data manually. This is how Amazon responds to the issue about Amazon contractual employees reviewing users’ voice data.
Similar to that, US users can now also choose to have their voice commands processed by the device itself. Meaning, voice data won’t be sent to clouds anymore and it will be automatically deleted after being processed.
To summarize, here are Alexa’s new notable privacy and security features:
- Visual ID.
- Voice-recognition authentication.
- Disable voice data manual review.
- Enable processing of data on the device itself.
Sure, Alexa, like any other voice assistant, has its own flaws. But that’s the risk of using internet-enabled devices, especially in this generation.
But getting informed and knowing how to protect your own data will keep you safe from any possible risks.
You might also want to check out: Can Google Home / Nest Be Hacked? 6 Dangers + 10 Tips