There’s a new Marvel superhero series on Fox called The Gifted that this week inspired my son Fallon, age 11, to predict the first Alexa virus, coming soon to an Amazon Echo, Echo Dot or Echo Show cloud device near you. Or maybe it will be a Google Home virus. Fallon’s point is that such a contagion is coming and there probably isn’t much any of us — including both Amazon and Google — can do to stop it.
The Gifted has characters from Marvel’s X-Men universe. They are the usual mutants but the novel twist in this series is that some of these particular mutants are able to combine their powers with terrible effect. They just hold hands, get angry, and it is mayhem squared.
Fallon’s idea for a computer virus following similar lines is that it should be possible to create otherwise benign Alexa skills that, when used together, can make trouble.
Think about it. There are presently more than 15,000 Alexa skills that have been officially approved by Amazon and are available for download. These skills do everything from launching programs to gathering data to setting reminders. Though relatively simple, each is still a cloud app that can connect tens of millions of Echo products to Amazon Web Services (AWS).
Each Alexa skill is tested by Amazon before being approved, but are they tested together? They don’t appear to be.
One skill, for example, could open a communication session while another could gather audio or video data for spying. One skill could take control of the Echo while another could put the resulting bot to terrible use in a local network or on the Internet as a whole. I’m sure you can imagine any number of clever combinations.
Remember the combinations don’t have to be operating on the same Echo device to function cooperatively. This makes them even harder to detect.
The number of unique pairs of Alexa skills from the current approved list is 112,492,500. Harness three skills together and the number becomes 5.62387505e+11 — probably too big to test even on Amazon’s huge cloud. After all, the testers would have no idea how to even trigger the intended function or what it was.
The only way to deal with a threat of this sort, short of banning outright this type of device, is to monitor Alexa behavior closely and jump into action the moment something unexpected happens. With thousands of developers and hundreds of skill types all they can do is wait.
Fallon is pretty sure we won’t have to wait for long.
I managed to “infect” a friend’s Alexa while house sitting over Christmas. Friends had gone away on holidays.
We said “Hey Alexa, play some Michael Bublé”not realising we were remotely hijacking their teenage son’s music. He was listening on his phone via Spotify and all of a sudden Bublé would come on.
Text from parents to please cease followed by much mirth and merriment via iMessage.
Simpler. Just replace the Buble mp3 with fart noises that have the same file name. Ok, might be an improvement.
Define “virus” and “hacking”–reasonably, I would go very broad with this, since catfishing passwords out from administrators, putting in spy hardware, making fake website/pages with l or I or 1 substitutions are all considered hacking. I would contend this one doesn’t count because I bet it was done 10 minutes from when the first Alexa came out of the box. Can you make Alexa say stupid stuff? Can you make Alexa go into a reiterative infinite loop?
This is called “feature interaction” and has been studied in the context of telephone networks for some time. See, for example:
http://www.dcs.gla.ac.uk/~muffy/papers/calder-kolberg-magill-reiff.pdf
These feature interactions can be caught by formal methods which can describe the interactions and use model-checking to efficiently verify that specific interactions do not occur.
I would have thought, after prediction #6, Alexa would become self aware.
Fallon & Bob – the first virus should be called Fenris.
https://en.wikipedia.org/wiki/Fenris_(comics)
A huge number of cloud-connected devices running a huge number of different apps that may or may not be able to interoperate in undesirable ways? Thanks for this breaking news about the iPhone, circa 2008!
This is why I won’t let one of these in my house unless it is GPL licensed.
Call me a Luddite, but I won’t let one inside my residence at all.
I am still waiting for someone to explain to my *why* I would install eavesdropping equipment in my home, with the audio being sent to a corporations servers. The idiocy of this boggles my mind.
So you don’t have a telephone in your home then? Same logic.
Each and every phone in my residence, especially the cellular phones, gets placed in a sound proof Faraday’s cage every time we come into the host with them. Even the land line phone has been sealed for years and every “Smart TV” has had its microphone wires cut.
Well your definitely on a watch list. Only someone with something very important to hide would do that.
…but do you wear a mask at all times inside your house, to hide from face recognition by the micro-cameras that the agents of… you know… have hidden in every room in your house?
Your telephone monitors the audio in your home 24×7 and initiates connections to corporate servers w/o human interaction?
Do tell us more.
While you’re busy checking out the phone, we took over your TV. Oh, and we did that three years ago.
You’ll be amazed at what we took over next! {Click here to see}
From a friend: {answer these 10 questions to be eligible for a free toothpick}
https://www.cnet.com/news/samsungs-warning-our-smart-tvs-record-your-living-room-chatter/
Do keep up.
Alexa?
(silence)
Alexa?
Hold on a sec…
Alexa are you ok?
ACHOO!
I’m ok, just need a few minutes…
To Robert and anyone else wondering why Amazon and others are pushing these devices that seem silly and pointless (and even dangerous) to anyone reading this blog, read this article: https://www.nngroup.com/articles/computer-skill-levels/
TL;DR: Alexa is Amazon’s attempt to reach approximately 40% of the adult population who don’t have sufficient computer skills to order from the Amazon web site.
Not to “reach” but to CONTROL 40% of the population………
@Mark – This is a new low quoting your son as an “expert”. But then he has such an extensive record of delivering products.
All of these products will be used as bots to attack elsewhere. We have already seen ‘internet of things’ devices hacked to form the most massive DDoS attack ever, against a –
MINESERVER.
One word — Skynet
https://en.wikipedia.org/wiki/Skynet_(Terminator)
You certainly don’t need to link Skynet for the uninformed. If they don’t know what Skynet is, they aren’t worth your time or education! 😉
News flash, Bob: unexpected interactions are not a “virus”.
Let’s put this in terms you might be able to understand: Side, in the movie Toy Story, rips toys apart and attaches them back together in “unintended” ways – you have Erector Set legs with a baby doll head, and a policeman body. That’s not a “virus” – that’s a “mash-up”.
Heck, services like Zapier and IFTTT build their entire selves around the idea of mashing-up different services that otherwise couldn’t interact.
Getting Twitter to do something that triggers a thermostat is *not* a “virus” – it’s potentially cool (or horrible), but it’s not viral”.
In spite of your being rude, your post is nearly irrelevant. You can quibble about Bob’s use of the word virus. There’s probably a more precise term for what he’s talking about, but he means virus in a general sense. He’s talking about someone with malicious intent using software for nefarious purposes. That fits a general sense of a computer virus. You can quibble about specific definitions of what a virus is versus malware versus whatever, but it’s really beside the point. Whether someone writes new programs and/or combines existing programs/apps for their nefarious purposes, the outcome is the same. Furthermore, Bob is not necessarily talking about only mashing up existing apps/skills. He’s talking about someone hiding malicious code inside multiple apps/skills. The dangerous code is more difficult to detect when it is only activated when the separate apps are joined together.
You’re not Bob, you’re Mike! You don’t know what Bob’s intent was. Mike Bob. I tell ya, people these days posing as others on the internet is getting out of control…
Mike’s response was thoughtful and complete. He expressed my own thoughts when I read the comment to which he’s responding.
Yes, I had an interpretation of what I thought Warren is saying and what I think Bob was saying. We each evaluate the meaning of the words that were written, or else what is the point of a comments section?
Bob, 2018 is going to nearly be over by the time you get out all 10 predictions. What’s more, 90% of the readers have disagreed with you on most of your predictions thus far.
.
Why are you even bothering to finish when clearly you are reaching at this point and it serves no one any benefit if you’re just aiming for an arbitrary number of 10 just because that’s what you’ve done in the past? Let’s move on and hear about other topics please…
Bob’s articles are at least thought provoking, and stimulate discussion. I would not have thought about untested combinations of skills leading to unwanted consequences, just like the power of Flash and Active X lead to security problems.
@Chris D – If you are this disappointed at having to wait a few days for something that you never paid for, how would you feel if you had been waiting 2 1/2 years for something that you paid for?
You know, I would have laughed at this a couple of years ago. I’m not laughing now.
This is a serious issue I hadn’t thought of… putting some significant computing power to work could have detrimental effects!
.
All I can say is…
.
I’m sure glad I don’t have a Mineserver in my house doing who knows what!
.
see, it isn’t all bad that you don’t have your Mineserver now. At least you aren’t vulnerable to Mineserver viruses. Honestly I think Bob is doing you a favor.
My favorite is a system that listens to discussions about vacations and when people will be Not home. This information could be passed on to someone that would like to visit your house while you are gone.
Could this be one?
https://www.indy100.com/article/amazon-alexa-has-been-emitting-bone-chilling-laughs-8244046?utm_source=indy&utm_medium=top5&utm_campaign=i100
wow that was quick!! : https://www.nbcnews.com/news/us-news/amazon-echo-users-report-spontaneous-childlike-laughter-coming-alexa-n854616
In news just in – https://www.wired.com/story/amazon-echo-alexa-skill-spying
“TURNING AN ECHO INTO A SPY DEVICE ONLY TOOK SOME CLEVER CODING”