Checkmarx, a company that provides automated security code review services, has uncovered a flaw in Amazon’s Echo that allows it to eavesdrop on users at all times, without the users being aware of it.
Alexa Is Always Listening
Normally, the Echo has an “always-on” listening capability, which in theory is supposed to only be fully activated when it hears the word “Alexa.” Once a user says Alexa, the device will start recording what the user says and analyze that audio information. After it provides the information the user requested, then its listening capabilities should go back to stand-by and it should stop recording users’ voices.
However, a flaw uncovered by Checkmarx researchers can allow a malicious party to record everything indefinitely after the user has activated a malicious app (or “skill”).
Exploiting this bug still required the researchers to ensure the Alexa recording session would stay alive after the user received a silent response from the device. They also had to ensure that the transcribing of the recorded voice was accurate, in order for the data to be useful to a malicious party.
The Checkmarx researchers disclosed the flaw to Amazon and said that they worked closely with the company’s team to implement some solutions against this type of attack. For starters, Amazon will review apps under a stricter criteria, to find the "eavesdropping" skills. The company will also change Echo's code to take appropriate actions when certain skills send empty-reprompts or when the sessions take longer than usual.
As more people buy devices such as the Echo, Google Home, or other similar always-listening devices, they’ll likely be at an increased risk of eavesdropping, as similar flaws are more sought-out by malicious parties. We also know that the FBI has started becoming quite interested in using Amazon’s Echo to surveil suspects, and this interest will likely only grow in the future.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
It is NOT a flaw when it is a intentionally made as a government backdoor that they hoped would not be found.Reply
Is anyone actually surprised that Echo has a flaw like this?Reply
20920010 said:Is anyone actually surprised that Echo has a flaw like this?
Not in the least. I warned of this exact thing back when the Echo first launched....
Except you have to willingly and actively enable one of said malicious skills in the first place.Reply
20920311 said:Except you have to willingly and actively enable one of said malicious skills in the first place.
The same is the case with a lot of malware that targets Windows systems.....
Exactly, a non-issue if you have any sort of sense of "security".Reply
They were designed to do this and always will.Reply
What I don't understand is, if a stranger were hanging around your home, peaking in your windows and using listening devices and cameras/video and you knew it, you would be angry like a wounded bear. Actions would include confronting the creep in anger, physical violence, calling of police and/or shooting, clubbing or stabbing the sob, among other thing.Reply
Yet people continue to bring these thoroughly invasive devices into their home and pay to do it.
behavior that shows a lack of good sense or judgment.
"I can't believe my own stupidity" · synonyms: lack of intelligence · unintelligence · foolishness · denseness · brainlessness · ignorance · mindlessness · dull-wittedness · dull-headedness · dullness · slow-wittedness · doltishness · the quality of being stupid or unintelligent.
"a comedy of infantile stupidity"
20920338 said:Exactly, a non-issue if you have any sort of sense of "security".
Except that you miss the simple fact that Amazon can choose to use the Echo is precisely the same way as any "malicious skill" could.... This is what the Echo was designed for. To listen in on customers. Is there any proof that Amazon isn't already doing this themselves? Or whether they have plans to at some point? Good security "sense" would include not buying such a device to start with.
Amazon and he US government work hand in hand. So this device is basically a spying tool , like many other voice oriented tech.Reply
Wasn't a flaw and even if patched will still record and listen.