Amazon Echo made to eavesdrop without exploit or manipulation
Checkmarx security researchers developed a proof of concept attack that would allow enable an Amazon Echo to continue recording a user long after a request is made.
The exploit doesn’t require any tweaks to Alexa’s software and doesn’t require any vulnerabilities but instead uses a functioning calculator application that records and transcribes activity for an extended period of time, according to Wired.
The hackers only used existing features that were at the time, made available to every developer making applets for the platform and uploaded it to the Alexa store.
It’s worth noting that the device’s blue ring is still lit during the entire process signifying the device is still listening or at least active but a user that wasn’t within eyeshot of the device would have no audible notification that the device is still recording or even active.
Amazon has since fixed the flaw and told the publication it is now controlling empty prompts more carefully and screening for eavesdropping functionality when it evaluates skills for its store.
Source: SC Magazine