With the entry of smart speakers such as Amazon Echo or Google Home, backed by voice assistants, the privacy concerns are only going to get bigger. If you fear that your smart speaker is eavesdropping on your conversations, you may not be wrong.
And believe it or not, researchers have confirmed our fears by developing an Alexa skill for the Amazon Echo that allows it to indefinitely listen in on your conversations. And if you plan on searching for the same on the Alexa skill (an app for the Echo devices) store, then let me tell you beforehand that you won’t find it.
Discovered by security experts at cybersecurity firm Checkmarx, this skill allowed them to transform Alexa into a covert spy by exploiting a vulnerability. This not only made it possible for them to listen to you talk but also transcribe the entire conversation you had inside your home sitting next to your Amazon Echo speaker.
As for how they manage to pull it off, the researchers built a normal calculator skill for Alexa – but hid few lines of malicious code in the same. When a user installs the skill and tries to solve math problems simply by asking Alexa, the attack or ‘spy’ mode is enabled on the Amazon Echo.
As you may know Echo is always listening for the ‘Alexa’ hotword and has a short window to process your query and give you a reply. During this short window, Alexa does keep a track of what’s being said. This is when the recording process ends.
The researchers tricked Alexa by asking for the calculator skill, starting a second process using their malicious code and letting it run on, by cutting off any form of voice prompt from Alexa that informs you about the microphone being active. Instead, the second process gave Alexa silent prompts to keep the recording, even without the Alexa hotword.
Amazon was informed about the eavesdropping loophole and the same has now been fixed. So, you don’t need to worry and chuck out your speaker out the door.