Cyber security researchers created a way for Amazon Alexa devices to eavesdrop on their owners, listening indefinitely without their permission and sending transcripts of the recordings back to the researchers.
The flaw in how Alexa works, which has since been patched by Amazon, saw the creation of a seemingly innocent calculator 'skill' - the word for an Alexa app - with code which caused Alexa to keep listening after providing the requested answer. This covert recording was then transcribed and sent to the researchers as a text document.
Under normal conditions, Amazon Echo devices - and third-party devices with Alexa integrated - include a microphone which is always listening, but only for the device's 'wake word', which can be set to be Alexa, Amazon, Echo or Computer. When this is heard, the device starts listening for what you want to say - and on some products, like the Echo range, a blue light indicates this is happening.
Once the user has finished asking their question - this case, a math problem - recording stops and this audio file is quickly sent to Amazon's servers, which generate Alexa's reply a couple of seconds later. If Alexa doesn't understand, or wants more information, it will ask a follow-up question.
Security testing firm Checkmarx then discovered that this request to repeat or ask another question can be muted, so the user doesn't hear it, and the time Alexa spends listening for a reply can be made indefinitely long. The device's blue light remains lit while it is listening, but someone who is talking to an Alexa product is unlikely to be constantly looking at it, especially if they think the conversation has ended.
Amazon is on a mission to put Alexa in every room of our homes, with the Echo speaker intended for kitchens and lounges, while the compact Echo Spot (which also has a screens and camera) is designed for the bedside table and the entry-level Echo Dot is intended to be placed anywhere. Various car manufacturers are also working on bringing Alexa to their vehicle infotainment systems.
Regarding how long Alexa could be programmed to eavesdrop for, Amit Ashbel, director of product marketing at Checkmarx, told Cnet: "As far as we could tell, there was no limit. As long as you don't tell it to stop [listening], it wouldn't."
As for recorded conversations going to hackers, Checkmarx say they are sent to all skill developers as text files. The audio recordings, however, remain on Amazon's servers, where they can be accessed (and deleted) by the user through their Alexa app. Ashbel said: "The voice recording doesn't actually go to the hacker, but the transcription is sent to the hacker that developed the skill. That would actually let them eavesdrop into your conversation."
The rogue calculator skill was created by the researchers and only used on themselves to test the flaw, but until Amazon fixed it, it could theoretically have been exploited by less well-meaning developers. The issue, Checkmarx says, was been resolved since April 10, after the company privately made Amazon aware of it.
Amazon said: "Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do."
Google had to quickly remove a feature from its rival Home Mini smart speaker, after it was found the microphone could be triggered by the slightest movement nearby. This flaw caused the review unit borrowed by a journalist to record almost constantly until they discovered the flaw. The fault feature, where the device could be told to listen with a press, was immediately removed from all Home Mini speakers worldwide.