Amazon Echo Flaw Allowed For Silent Eavesdropping Of Users' Conversations
Checkmarx, a company that provides automated security code review services, has uncovered a flaw in Amazon’s Echo that allows it to eavesdrop on users at all times, without the users being aware of it.
Alexa Is Always Listening
Normally, the Echo has an “always-on” listening capability, which in theory is supposed to only be fully activated when it hears the word “Alexa.” Once a user says Alexa, the device will start recording what the user says and analyze that audio information. After it provides the information the user requested, then its listening capabilities should go back to stand-by and it should stop recording users’ voices.
However, a flaw uncovered by Checkmarx researchers can allow a malicious party to record everything indefinitely after the user has activated a malicious app (or “skill”).
Exploiting this bug still required the researchers to ensure the Alexa recording session would stay alive after the user received a silent response from the device. They also had to ensure that the transcribing of the recorded voice was accurate, in order for the data to be useful to a malicious party.
Mitigations
The Checkmarx researchers disclosed the flaw to Amazon and said that they worked closely with the company’s team to implement some solutions against this type of attack. For starters, Amazon will review apps under a stricter criteria, to find the "eavesdropping" skills. The company will also change Echo's code to take appropriate actions when certain skills send empty-reprompts or when the sessions take longer than usual.
As more people buy devices such as the Echo, Google Home, or other similar always-listening devices, they’ll likely be at an increased risk of eavesdropping, as similar flaws are more sought-out by malicious parties. We also know that the FBI has started becoming quite interested in using Amazon’s Echo to surveil suspects, and this interest will likely only grow in the future.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
-
kenzen22b It is NOT a flaw when it is a intentionally made as a government backdoor that they hoped would not be found.Reply -
sykozis 20920010 said:Is anyone actually surprised that Echo has a flaw like this?
Not in the least. I warned of this exact thing back when the Echo first launched.... -
Gam3r01 Except you have to willingly and actively enable one of said malicious skills in the first place.Reply -
sykozis 20920311 said:Except you have to willingly and actively enable one of said malicious skills in the first place.
The same is the case with a lot of malware that targets Windows systems..... -
Questors What I don't understand is, if a stranger were hanging around your home, peaking in your windows and using listening devices and cameras/video and you knew it, you would be angry like a wounded bear. Actions would include confronting the creep in anger, physical violence, calling of police and/or shooting, clubbing or stabbing the sob, among other thing.Reply
Yet people continue to bring these thoroughly invasive devices into their home and pay to do it.
stu·pid·i·ty
NOUN
behavior that shows a lack of good sense or judgment.
"I can't believe my own stupidity" · synonyms: lack of intelligence · unintelligence · foolishness · denseness · brainlessness · ignorance · mindlessness · dull-wittedness · dull-headedness · dullness · slow-wittedness · doltishness · the quality of being stupid or unintelligent.
"a comedy of infantile stupidity" -
sykozis 20920338 said:Exactly, a non-issue if you have any sort of sense of "security".
Except that you miss the simple fact that Amazon can choose to use the Echo is precisely the same way as any "malicious skill" could.... This is what the Echo was designed for. To listen in on customers. Is there any proof that Amazon isn't already doing this themselves? Or whether they have plans to at some point? Good security "sense" would include not buying such a device to start with. -
Dark Lord of Tech Amazon and he US government work hand in hand. So this device is basically a spying tool , like many other voice oriented tech.Reply
Wasn't a flaw and even if patched will still record and listen.