Amazon Admits Hackers Could Turn Echo Speakers Into Listening Devices

One month ago, a wide swath of the US population - most of which is a card-carrying member of the Amazon Prime collective - freaked out when news spread  that Alexa-enabled gadgets would utter an unprovoked "bone-chillingly creepy" cackle or "sinister laugh."

Shortly after, Amazon confirmed  that Alexa was indeed laughing out of the blue, and promptly fixed whatever glitch was plaguing the matrix at the time.

Yet while bizarre and sinister, the incidents were largely innocuous.

That however was not the case with the latest bug uncovered in Amazon's Echo which allowed hackers to listen in to the speaker, a privilege which until recently, most speculated was only granted to Amazon... and the NSA of course.

Amazon Echo speakers

According to The Telegraph, researchers had found way to make the the Echo Speakers continue listening long after they should have been switched off. Amazon countered that this would not allow the recordings to be passed to hackers, but would have stayed with Amazon itself.

The way the Amazon Echo speakers work is they listen for the word "Alexa" before completing a command, like "Alexa, read tell me today's news". Any interaction with Alexa is recorded to improve the service, but once the command is finished, Alexa stops recording. At least on paper, because security researchers from Checkmarx developed an Alexa Skill that would keep Alexa listening long after it should have switched itself off and automatically transcribe what it hears for an attacker.

When an Alexa skill completes its task it is supposed to stop listening. However, sometimes Alexa doesn't hear a command correctly, which will lead the Echo to ask for the user to repeat it. This "re-prompt" feature could be exploited, the researchers found, and be programmed to carry on listening, while muting Alexa's responses.

"For the Echo... listening is key," Checkmarx said. "However, with this device's rise in popularity, one of today's biggest fears in connection to such devices is privacy. Especially when it comes to a user's fear of being unknowingly recorded."

The good news: Amazon has since addressed the flaw to better detect Skills which appear to be built for listening to users and automatically detecting long listening sessions by an Echo. Manipulating the Echo didn't actually require any attacks on the Echo itself, only a Skill coded to exploit its current features.

"We have put mitigations in place for detecting this type of Skill behavior and reject or suppress those Skills when we do," Amazon said.

The bad news: if others can do it, so can Amazon, and so can all other agencies, governmental or not, which Jeff Bezos is closely aligned with. And if Americans freaked out when they learned that Facebook collects all their private information - something that should have been obvious to 5-year-olds - we can't wait for the Congressional hearings in 2-4 years when the Kangaroo Court will have Jeff Bezos in the hot seat explaining how and why he wired tens of millions of Americans with 24/7 surveillance, something not even the NSA has been able to do.