The Amazon Echo and Alexa pioneered the whole smart speaker category of gadgets and they opened our eyes (and ears) to what an always-on, always-listening appliance can do. It answers your questions, controls your smart home, plays music, helps you organize your day, reads you the news and controls your TV. Alexa’s set of skills grows each day!
But with all this convenience, an always-listening gadget will always raise privacy and cybersecurity concerns. What if a clever hacker finds a flaw that can turn Alexa into a secret surveillance assistant? That could be a complete security nightmare to the millions and millions of Amazon Echo owners out there.
And security researchers found exactly that. By exploiting a loophole in how Alexa responds, they discovered that a crafty developer can actually fool it to record you indefinitely! Read on and I’ll tell you how this exploit works and how to protect yourself and your family from such attacks.
Alexa can be fooled
Researchers at cybersecurity firm Checkmarx revealed that they discovered a flaw in Amazon’s Alexa virtual assistant that can fool it to listen to its surroundings indefinitely.
Their secret weapon? A special Echo skill that can continue to listen to its users long after it’s been activated. Note: Echo skills are similar to what apps are to smartphones.
“As far as we could tell, there was no limit,” Checkmarx’s product marketing director Amit Ashbel said. “As long as you don’t tell it to stop, it wouldn’t.”
What does this imply? Well, a hacker with the proper know-how can turn an Echo into a spying gadget.
How did the hack work?
In their tests, Checkmarx researchers coded a seemingly innocent calculator Echo skill to perform the exploit. Typically, when you use an Echo skill, it goes back to sleep after the request is processed.
With their test calculator skill, however, the Echo remained active and continued on listening even when the user’s initial math question was solved.
By exploiting Alexa’s reprompt ability, which allows a skill to process a string of requests, they managed to keep Alexa listening by inserting a silent vocal prompt.
Normally, when a multi-stringed skill performs an initial request, Alexa sends an audible vocal prompt to inform you that a session is still active, awaiting further commands.
But the researchers discovered that Alexa can accept an empty reprompt string, allowing it to remain silent while waiting for the next command. A user might think that the skill has closed but Alexa is still quietly recording in the background.
With a silent prompt, the only indicator that Alexa is still listening is the active blue light on top of the Echo.
All the audio captured by the skill was then sent to the researchers as a word-for-word transcript. It turns out, although only Amazon can get access to actual Echo voice recordings, developers can retrieve transcripts generated by their skills.
What can you do to protect yourself?
Here’s the good news: Checkmarx said that they have informed Amazon about this flaw and thankfully, the issue was fixed on April 10.
Amazon Echo gadgets automatically update themselves when they’re connected to the internet so your Echo should have the fixes in place by now.
Amazon’s fixes removed a skill’s ability to issue silent reprompts and also limited the time Alexa can listen for commands. This should prevent similar tactics from being exploited in the future.
“Customer trust is important to us and we take security and privacy seriously,” Amazon said in an official statement. “We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do.”
For extra privacy, there’s also a way to mute the Echo’s mics. To turn the Echo’s mic off, press the microphone off/on button on the top of the device. Whenever this button is red, the mic is off. To reactivate it, just press the button again.
Additionally, as demonstrated by Checkmarx’s tests, as long as your Echo’s blue light is on, then it is actively listening. If you ever notice that this blue light is on for an extended amount of time, then something fishy is definitely going on and it’s a good idea to review all your installed skills.
Review and disable your Echo’s skills
To see all your installed Echo skills and disable the ones you don’t need or recognize, here’s what you need to do.
- Open your Alexa app on your smartphone or tablet, tap the menu icon (the three horizontal lines on the upper left corner) then Tap skills.
- Tap “Your Skills ” in the upper right corner.
- This will give you a list of all your Echo’s enabled skills, just updated skills, and skill that require your attention (usually for account linking.)
- To disable a skill, just tap on it then tap the “DISABLE SKILL” button.
How to listen to everything Amazon Echo has ever heard
Are you concerned about what Alexa records about you? Here are some extra tips on how to listen and delete every voice command you’ve ever issued to your Amazon Echo.