Posted On April 28, 2018
Amazon fixes Alexa bug that let Echo keep listening
Amazon’s Echo speakers featured a bug that meant the speaker continued to listen to its surroundings.
Security researchers found a way to make the device continue listening long after it should have switched off. Amazon said this would not allow the recordings to be passed to hackers but would have stayed with Amazon itself.
Amazon Echo speakers listen out for the word “Alexa”, the name of its voice assistant, before completing a command, like “Alexa, read tell me today’s news”. Any interaction with Alexa is recorded to improve the service, but once the command is finished, Alexa stops recording.
But security researchers from Checkmarx developed an Alexa Skill that would keep Alexa listening long after it should have switched itself off and automatically transcribe what it hears for an attacker.
When an Alexa skill completes its task it is supposed to stop listening. However, sometimes Alexa doesn’t hear a command correctly, which will lead the Echo to ask for the user to repeat it. This “re-prompt” feature could be exploited, the researchers found, and be programmed to carry on listening, while muting Alexa’s responses.
The only sign the Echo was still on was a blue light ring, which normally lights up when Alexa receives a command.
“For the Echo… listening is key,” Checkmarx said. “However, with this device’s rise in popularity, one of today’s biggest fears in connection to such devices is privacy. Especially when it comes to a user’s fear of being unknowingly recorded.”
Amazon Alexa | Everything you need to know
Amazon has since addressed the flaw to better detect Skills which appear to be built for listening to users and automatically detecting long listening sessions by an Echo. Manipulating the Echo didn’t actually require any attacks on the Echo itself, only a Skill coded to exploit its current features.
“We have put mitigations in place for detecting this type of Skill behavior and reject or suppress those Skills when we do,” Amazon said.
It’s not the first flaw found on Amazon’s Echo. Last year it was revealed second-hand Echo devices could be tampered with to be turned into listening devices.