Alexa Can Listen Indefinitely, Potentially Exploited to Transcribe Information to Cybercriminals

Researchers discovered a new internet of things (IoT) design flaw in a popular smart home system: They found that Amazon’s Alexa service can be programmed to eavesdrop on its users and transcribe all the information heard. It only involves creating an application that allowed the voice-activated digital assistant to send a transcript of everything it can hear back to the programmers, a feature that can be potentially exploited to steal sensitive information.

[Read: How secure are your internet-enabled voice assistants?]

The Alexa digital assistant is designed to listen to the user after a prompt is made, but the active session is kept short. Once the service informs the user that the session is closed, it goes back to its dormant state until the next active session prompt. Taking the view of the hacker, the researchers found that this can be exploited by inserting the API empty reprompt code, which means that Alexa believes it has informed the user that the device is still actively listening when it actually remained silent. The user remains unaware of this, and may not notice that the blue light on the Echo device is lit. The result is an endless active cycle for as long as there is no prompt from the user.

[Quiz: Buying a smart device for your kid? Take this quiz first.]

Testing this further, the researchers added further instructions to transcribe all the data the device hears within its listening perimeter, sending all the collected information to the programmers until the device is turned off. The researchers have informed Amazon of this flaw, and while the full range of fixes were not disclosed, the flaw has since been fixed.

Convenience and efficiency should not come with risks of data exposure and insecurity. While there’s no stopping innovation and the proliferation of smart, connected devices, manufacturers should not overlook the importance of security and privacy for the users.

[Read: The Administrator of Things (AoT) – A side effect of smartification]

Users should not place the responsibility of security solely on the vendors and manufacturers. Here are a few things users can do to strengthen security for smart home devices:

  • Familiarize yourself with the device's features and learn how to secure it. Check the device’s default settings and permissions and modify settings that would increase security
  • Regularly download firmware and software updates
  • Secure network routers’ credentials to protect it from attackers. Frequently change and create strong passwords

[Read: The Sound of a Targeted Attack]

Businesses should be proactive in ensuring that the layers of protection for their data and operations are intact and proactive in nature. Trend Micro IoT Security Solutions for smart devices works unobtrusively against business disruptions, hacking, exploits, data loss, and advanced threats for a variety of industries.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.