Amazon Echo Flaw Allowed For Silent Eavesdropping Of Users' Conversations

Checkmarx, a company that provides automated security code review services, has uncovered a flaw in Amazon’s Echo that allows it to eavesdrop on users at all times, without the users being aware of it.

Alexa Is Always Listening

Normally, the Echo has an “always-on” listening capability, which in theory is supposed to only be fully activated when it hears the word “Alexa.” Once a user says Alexa, the device will start recording what the user says and analyze that audio information. After it provides the information the user requested, then its listening capabilities should go back to stand-by and it should stop recording users’ voices.

However, a flaw uncovered by Checkmarx researchers can allow a malicious party to record everything indefinitely after the user has activated a malicious app (or “skill”).

Conversation silently recorded by AlexaConversation silently recorded by Alexa
Exploiting this bug still required the researchers to ensure the Alexa recording session would stay alive after the user received a silent response from the device. They also had to ensure that the transcribing of the recorded voice was accurate, in order for the data to be useful to a malicious party.

Mitigations

The Checkmarx researchers disclosed the flaw to Amazon and said that they worked closely with the company’s team to implement some solutions against this type of attack. For starters, Amazon will review apps under a stricter criteria, to find the "eavesdropping" skills. The company will also change Echo's code to take appropriate actions when certain skills send empty-reprompts or when the sessions take longer than usual.

As more people buy devices such as the Echo, Google Home, or other similar always-listening devices, they’ll likely be at an increased risk of eavesdropping, as similar flaws are more sought-out by malicious parties. We also know that the FBI has started becoming quite interested in using Amazon’s Echo to surveil suspects, and this interest will likely only grow in the future.

Amazon Echo: Alexa Leveraged as a Silent Eavesdropper

Create a new thread in the News comments forum about this subject
This thread is closed for comments
10 comments
Comment from the forums
    Your comment
  • kenzen22b
    It is NOT a flaw when it is a intentionally made as a government backdoor that they hoped would not be found.
  • Brian_R170
    Is anyone actually surprised that Echo has a flaw like this?
  • sykozis
    Anonymous said:
    Is anyone actually surprised that Echo has a flaw like this?


    Not in the least. I warned of this exact thing back when the Echo first launched....