Skip to main content

Amazon Echo Flaw Allowed For Silent Eavesdropping Of Users' Conversations

Checkmarx, a company that provides automated security code review services, has uncovered a flaw in Amazon’s Echo that allows it to eavesdrop on users at all times, without the users being aware of it.

Alexa Is Always Listening

Normally, the Echo has an “always-on” listening capability, which in theory is supposed to only be fully activated when it hears the word “Alexa.” Once a user says Alexa, the device will start recording what the user says and analyze that audio information. After it provides the information the user requested, then its listening capabilities should go back to stand-by and it should stop recording users’ voices.

However, a flaw uncovered by Checkmarx researchers can allow a malicious party to record everything indefinitely after the user has activated a malicious app (or “skill”).

Conversation silently recorded by Alexa


Exploiting this bug still required the researchers to ensure the Alexa recording session would stay alive after the user received a silent response from the device. They also had to ensure that the transcribing of the recorded voice was accurate, in order for the data to be useful to a malicious party.

Mitigations

The Checkmarx researchers disclosed the flaw to Amazon and said that they worked closely with the company’s team to implement some solutions against this type of attack. For starters, Amazon will review apps under a stricter criteria, to find the "eavesdropping" skills. The company will also change Echo's code to take appropriate actions when certain skills send empty-reprompts or when the sessions take longer than usual.

As more people buy devices such as the Echo, Google Home, or other similar always-listening devices, they’ll likely be at an increased risk of eavesdropping, as similar flaws are more sought-out by malicious parties. We also know that the FBI has started becoming quite interested in using Amazon’s Echo to surveil suspects, and this interest will likely only grow in the future.

  • kenzen22b
    It is NOT a flaw when it is a intentionally made as a government backdoor that they hoped would not be found.
    Reply
  • Brian_R170
    Is anyone actually surprised that Echo has a flaw like this?
    Reply
  • sykozis
    20920010 said:
    Is anyone actually surprised that Echo has a flaw like this?

    Not in the least. I warned of this exact thing back when the Echo first launched....
    Reply
  • Gam3r01
    Except you have to willingly and actively enable one of said malicious skills in the first place.
    Reply
  • sykozis
    20920311 said:
    Except you have to willingly and actively enable one of said malicious skills in the first place.

    The same is the case with a lot of malware that targets Windows systems.....
    Reply
  • Gam3r01
    Exactly, a non-issue if you have any sort of sense of "security".
    Reply
  • Dark Lord of Tech
    They were designed to do this and always will.
    Reply
  • Questors
    What I don't understand is, if a stranger were hanging around your home, peaking in your windows and using listening devices and cameras/video and you knew it, you would be angry like a wounded bear. Actions would include confronting the creep in anger, physical violence, calling of police and/or shooting, clubbing or stabbing the sob, among other thing.

    Yet people continue to bring these thoroughly invasive devices into their home and pay to do it.

    stu·pid·i·ty
    NOUN

    behavior that shows a lack of good sense or judgment.
    "I can't believe my own stupidity" · synonyms: lack of intelligence · unintelligence · foolishness · denseness · brainlessness · ignorance · mindlessness · dull-wittedness · dull-headedness · dullness · slow-wittedness · doltishness · the quality of being stupid or unintelligent.
    "a comedy of infantile stupidity"
    Reply
  • sykozis
    20920338 said:
    Exactly, a non-issue if you have any sort of sense of "security".

    Except that you miss the simple fact that Amazon can choose to use the Echo is precisely the same way as any "malicious skill" could.... This is what the Echo was designed for. To listen in on customers. Is there any proof that Amazon isn't already doing this themselves? Or whether they have plans to at some point? Good security "sense" would include not buying such a device to start with.
    Reply
  • Dark Lord of Tech
    Amazon and he US government work hand in hand. So this device is basically a spying tool , like many other voice oriented tech.
    Wasn't a flaw and even if patched will still record and listen.
    Reply