One of the most convenient things about Amazon’s Echo smart speaker is that Alexa is always ready to listen to your commands. However, a team from the Checkmarx, a security testing firm, wanted to see if that always-on feature could turn the gadget into a hacking device — and it turns out the answer was yes.
Checkmarx was able to create a skill that allowed hackers to listen in on Echo devices and their users’ conversations. Amazon fixed the problem earlier this month, but the incident serves as a cautionary tale as our homes become more connected and voice assistant speakers become more common.
Here’s how Checkmarx did it: Ordinarily, Alexa stops listening after it carries out your command and doesn’t start again until you say the “Alexa” wake word. However, the researchers figured out that hackers could take advantage of Alexa’s “re-prompt” feature. If Alexa doesn’t understand what you say the first time, she lets you know that and keeps listening until you repeat yourself.
Checkmarx’s researchers found it would be possible for hackers to develop an Alexa skill that made the virtual assistant continue to listen despite initially understanding a command. They were also able to mute the follow-up Alexa gives, when she asks users to repeat a prompt, thereby making the speaker stay silent but continue to listen. The next part of the Checkmarx hack involved orchestrating a way for Alexa not only to keep listening without people realizing it, but also to transcribe what she heard. Amazon’s servers store the audio content of people when they are speaking to Alexa.
Usually, developers who make skills get transcriptions of those conversations as long as spoken words are in the context of the skill. In this case, Checkmarx’s team made the skill record any word that was part of Alexa’s built-in dictionary.
Users have plenty of security considerations to worry about when it comes to cloud stored-data. With that in mind, Checkmarx’s researchers wanted to ensure their findings held true in real life. They created a seemingly innocent calculator skill that made Alexa keep listening for over a minute until someone from Checkmarx told it to stop. People in the room talked as the skill kept running. They found that, sure enough, the dialogue got captured in a word-for-word transcript, effectively giving a person the ability to “eavesdrop” by reading the text.
Checkmarx reached out to Amazon to tell the company about the device’s flaw earlier this month, and Amazon fixed the problem on April 10.
Amit Ashbel, Checkmarx’s director of product marketing, said Amazon shortened the amount of time Alexa continues to listen and removed the ability to silence Alexa’s reprompting dialog. Those adjustments make it impossible to re-create the hack. Amazon did not comment on the hack.
If you’re worried about Alexa listening in on you, you can always go into the app and delete your history.