Researchers show how Amazon Echo can be used for eavesdropping
Privacy became a top-of-mind issue with the introduction of personal assistants like the Siri-enabled Apple HomePod, Google Home and Amazon’s Alexa-powered Echo. Many believed these products could be used as tapping devices.
Turns out they were right, as evidenced by two researchers who fed malware to Amazon’s Echo and turned it into a “bug.”
Although technically always on, voice-enabled assistants stream information to and from the cloud only after a key wake-up signal – in the case of Echo, calling out the name of the AI persona that does the talking: Alexa.
Users typically ask Alexa things like what the weather is like, general knowledge questions and math problems, or they ask the assistant to play music from their library. Once the assistant performs the requested action, it cuts all ties to the cloud and goes back to listening only for its wake-up call. However, if an answer is likely to be followed up with another question by the user, Alexa keeps listening.
It was here that Maty Siman and Shimi Eshkenazi at the Checkmarx Research Lab figured out a way to inject malware into the Echo and turn it into a tapping device.
They managed to extend the listening sessions, transcribe whatever was spoken around the assistant and send the recordings to their command & control center (server).
Siman and Eshkenazi demonstrate in a detailed technical paper how they achieved the feat, but admit that they couldn’t find a way to also de-activate the visual indicator (the blue ring at the top of the Echo) that Alexa was actively listening.
Immediately after their discovery, the duo went to Amazon Lab126 with the findings and worked closely with the team to develop a fix. However, it’s not exactly comforting knowing that it could be done in the first place, and maybe can be done again in the future.alexa amazon echo eavesdropping Echo iot eavesdropping