David Limp, senior vice president of Devices and Services at Amazon © Jeffrey Dastin / Reuters
Researchers at the security firm Checkmarx discovered the Achilles heel of the Amazon’s Echo speakers – a bug which allows the device to listen to its surroundings long after it should have shut down.
The bug does not allow the recordings to be passed on to hackers, but they would remain with Amazon itself, the company said, as quoted by The Telegraph.
Echo, a smart speaker introduced by Amazon at the end of 2014, connects to voice-controlled personal assistant service Alexa. The device can set alarms, provide weather or traffic reports, make to-do lists, stream podcasts, and play audiobooks. Echo is also designed to control several smart devices acting as a home automation hub.
The smart device usually listens in order to wake up when it hears the word ‘Alexa.’ Then the user may send the speaker a command, like “Alexa, what’s the weather today?” or “Alexa, play jazz.” The user’s interaction with the speaker is recorded to improve the service. However, once the command is finished, Alexa should stop recording.
The speaker’s skills could be further developed and allow Alexa to listen to the user’s surroundings long after it should have switched itself off, according to the Checkmarx researchers, as cited by the media. Then, the device may automatically transcribe what it hears for a hacker.
The nature of the bug lies in Alexa’s inability to hear a command correctly all the time, with the Echo forced to ask to repeat it again. This ‘re-prompt’ feature could reportedly be exploited and be programmed to carry on listening, while muting Alexa’s responses, according to the researchers.
“For the Echo listening is key. However, with this device’s rise in popularity, one of today’s biggest fears in connection to such devices is privacy,” Checkmarx told the media. “Especially, when it comes to a user’s fear of being unknowingly recorded.”
Amazon has reportedly addressed the flaw to better detect its product’s Skills. Manipulating the Echo didn’t actually require any attacks on the Echo itself, only a Skill coded to exploit its current features.
“We have put mitigations in place for detecting this type of Skill behavior and reject or suppress those Skills when we do,”Amazon told The Telegraph.