On Thursday, news emerged that a Portland family’s Echo device had recorded a conversation of them – without them knowing – and then sent an audio file to one of their contacts.
The impacted couple, whose last name was not reported and who said the incident occurred two weeks ago, told news station KIRO 7 that they realized they were being recorded when the contact who received the file called them to say she received an uncanny voice recording. The couple then called Amazon and notified the tech company about the incident.
Amazon has confirmed the error and offered an explanation of what happened in an emailed statement to Threatpost:
“Echo woke up due to a word in background conversation sounding like “Alexa.” “Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right.”
Similar to many others with Alexa-controlled home assistants, the Portland family’s home was wired with Internet of Things-connected Amazon devices to control the house’s heat, lights and security system. The family said that they disconnected everything after the incident.
Many in the tech industry see the incident as yet another example of just how easy it is for Alexa – and other voice assistants – to expose consumers’ private conversations and lives within their homes.
“It is not clear if this was simply a software flaw or a malicious attack, but it is a stark wake-up call nonetheless,” Andreas Kuehlmann, senior vice president and general manager at Synopsys said, in an email. “The reports that a popular voice assistant unexpectedly recorded a personal conversation and leaked information to a third party should be a reminder of the potential security and privacy risks of our… always-connected world.”
Amazon has been under heightened scrutiny before when it comes to privacy issues: In May, a team of researchers found that it is possible to closely mimic legitimate voice commands in order to carry out suspicious actions. In April, Checkmarx researchers launched a malicious proof-of-concept Amazon Echo Skill to show how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices and automatically transcribe every word said.
But this month’s incident shows that even if a team of researchers aren’t actively looking for vulnerabilities, glitches still exist within smart voice assistants that can potentially lead to a breach of privacy.
“Security and privacy continues to be an issue for these new connected devices… with hackers looking to target these new devices, this is a reminder of the privacy risks that exist for users, at home and at work,” Nadir Izrael, CTO of Armis, said in an emailed comment.
Privacy issues aren’t just limited to Alexa. Last year, researchers devised a proof of concept that gives potentially harmful instructions to popular voice assistants like Siri, Google, Cortana, and Alexa using ultrasonic frequencies instead of voice commands.
Amazon said in the statement that “as unlikely as this string of events is, we are evaluating options to make this case even less likely.”