An Alexa bug allowed a developer to listen to everything that was said in the Amazon Echo room

There is some concern for users that smart speakers have a permanent listening function.

It is this functionality that allows the speaker to react when the activation phrase is spoken, but there are those who are concerned that, as a result of this functionality, companies are listening at all times and therefore invading their privacy.

An Alexa bug allowed a developer to listen to everything that was said in the Amazon Echo room

All companies assure users that they don’t monitor or record conversations but, in the case of Amazon, researchers have discovered a bug in Alexa that allowed Echo devices to be listening all the time and a developer to eavesdrop.

Once Alexa executes a command, it is supposed to stop listening, but the researchers at the security company Checkmarx developed functionality that allowed them to continue attending indefinitely, taking advantage of Alexa’s “Reprompt” function.

When Alexa does not hear your command correctly, keep listening and ask the user to repeat the command. Checkmarx researchers discovered that a developer could write code for Alexa to execute the “Re-request” function, even though he fully understood the authority. That way, he’d stay and listen.

They also discovered that the developers could silence the “Re-request” function, so they wouldn’t hear Alexa ask you to repeat the command. That combination allowed Alexa to continue listening without the user noticing.

The only sign that Alexa was still listening is the blue ring around the Echo device, which is not a valid solution. Besides, other tools that use Alexa don’t have that light ring.

Checkmarx’s proof of concept used a Calculator functionality that worked just like any other calculator. However, after solving a math problem, Echo continued to listen for more than a minute taking advantage of the failure described above.

During that minute, the Calculator transcribed all the recorded audio into text and sent it to the researchers, writing down word for word what was said in the room.

The good news is that Checkmarx told Amazon before they publicly revealed the bug, and Amazon has already fixed the problem. It is not clear if anyone could have exploited the virus before it was set, but so far we have heard nothing.

In a statement made by Amazon, “Customer trust is essential to us, and we take security and privacy seriously. We have put in place mitigations to detect this kind of behavior and to reject or suppress these capabilities when we do so. Source: CNET