Checkmarx, a company that provides automated security code review services, has uncovered a flaw in Amazon’s Echo that allows it to eavesdrop on users at all times, without the users being aware of it.
Alexa Is Always Listening
Normally, the Echo has an “always-on” listening capability, which in theory is supposed to only be fully activated when it hears the word “Alexa.” Once a user says Alexa, the device will start recording what the user says and analyze that audio information. After it provides the information the user requested, then its listening capabilities should go back to stand-by and it should stop recording users’ voices.
However, a flaw uncovered by Checkmarx researchers can allow a malicious party to record everything indefinitely after the user has activated a malicious app (or “skill”).
Exploiting this bug still required the researchers to ensure the Alexa recording session would stay alive after the user received a silent response from the device. They also had to ensure that the transcribing of the recorded voice was accurate, in order for the data to be useful to a malicious party.
The Checkmarx researchers disclosed the flaw to Amazon and said that they worked closely with the company’s team to implement some solutions against this type of attack. For starters, Amazon will review apps under a stricter criteria, to find the "eavesdropping" skills. The company will also change Echo's code to take appropriate actions when certain skills send empty-reprompts or when the sessions take longer than usual.
As more people buy devices such as the Echo, Google Home, or other similar always-listening devices, they’ll likely be at an increased risk of eavesdropping, as similar flaws are more sought-out by malicious parties. We also know that the FBI has started becoming quite interested in using Amazon’s Echo to surveil suspects, and this interest will likely only grow in the future.
Not in the least. I warned of this exact thing back when the Echo first launched....
The same is the case with a lot of malware that targets Windows systems.....
Yet people continue to bring these thoroughly invasive devices into their home and pay to do it.
behavior that shows a lack of good sense or judgment.
"I can't believe my own stupidity" · synonyms: lack of intelligence · unintelligence · foolishness · denseness · brainlessness · ignorance · mindlessness · dull-wittedness · dull-headedness · dullness · slow-wittedness · doltishness · the quality of being stupid or unintelligent.
"a comedy of infantile stupidity"
Except that you miss the simple fact that Amazon can choose to use the Echo is precisely the same way as any "malicious skill" could.... This is what the Echo was designed for. To listen in on customers. Is there any proof that Amazon isn't already doing this themselves? Or whether they have plans to at some point? Good security "sense" would include not buying such a device to start with.
Wasn't a flaw and even if patched will still record and listen.