Security researchers from Checkmarx just confirmed what everyone always suspected: Amazon’s voice-controlled personal assistant Alexa listens to your every move. While it was obvious that Alexa had to listen in order to react to her name and commands, this team of researchers presented test cases on security loopholes created because Alexa constantly listens.
They easily created an Alexa skill that turned the device into a surveillance nightmare, listening in and transcribing any conversation you have around an Amazon device featuring the smart assistant. By using the “Reprompt” feature, they bypassed Alexa’s usual behavior of NOT listening after carrying a command. Instead, Alexa could now listen again whenever the original command was not understood.
“As far as we could tell, there was no limit. As long as you don’t tell it to stop, it wouldn’t,” said Amit Ashbel, a Checkmarx representative.
The security researchers quickly disclosed the vulnerability to Amazon which, to their credit, reacted promptly and eliminated the issues.
“Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do,” reassured Amazon.
Indeed, since April 10, Amazon released fixes to eliminate that security hole.