Alexa, Amazon, Information Security, insider theft, insider threats, iot, Rocco, smart speakers, Top News

Snack-happy parrot shows insider threats come in all shapes and sizes

A new form of insider threat has been discovered, with evidence of a threat actor attempting to burgle a homeowner via illicit snack delivery orders placed on her Amazon Alexa smart speaker.

According to the UK’s National Animal Welfare Trust, the culprit goes by the handle of “Rocco,” a fugitive African Grey Parrot that had already displayed antisocial tendencies – namely, foul language and tossing his water bowl around – while in the care of the trust.

Staff member Marion Wischnewski, who lives in Oxfordshire, had rehomed Rocco, in spite of his propensity to fling and his swearing, which had led the trust to fear that visitors would flee from his verbal floggings.

Once ensconced in his new workplace, Rocco set about endearing himself to his human overlords. Wischnewski told news outlets that he’s got a “sweet personality” and loves to dance to romantic music… music that, apparently, he’s learned how to request from Alexa. He has, after all, been exposed to the overlords’ conversations with Alexa, and, as members of his species are wont to do, has learned how to ask for what he wants.

What he wants, besides sappy songs to bounce to, are tasty snacks, various inanimate objects, and homeware. He has reportedly attempted to place orders for lightbulbs, a kite, watermelon, ice cream, raisins, strawberries, broccoli, and a tea kettle.

Thanks to security controls put in place by his overlord, Rocco has not managed to successfully defraud her smart speaker. The Sunday Times quoted Wischnewski:

I have to check the shopping list when I come in from work and cancel all the items he’s ordered.

This is a timely reminder that…

  • Insider threats are real. They come in more forms than you might imagine and aren’t always malicious: they can be caused by negligence, lack of training, or, say, bored, chatty parrots. Unfortunately, Alexa can’t tell the difference between legitimate and not-so-legitimate requests, showing that…
  • The internet of “smart” things (IoT) isn’t all that smart. Not if IoT devices can be used by snack-happy parrots or little kids who get a hankering for a big old pricey dollhouse.
  • There are controls you can put in place to stop Rocco-esque shopping madness. Wischnewski says she’s put a parental lock on her Alexa’s buying ability. She has to check and cancel any orders that Rocco may have made in her absence: what must be a prodigious task, given that Rocco seems to have fallen in love with Alexa and interacts with her about 40 times a day.

At least her Alexa comes with a parental lock that can stop the transactions… Unless that’s just what Rocco wants us to think?

Source : Naked Security

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend