Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Alexa May Be Recording More Than You Realize

Executives may need to reconsider whether Amazon’s Alexa personal assistant is listening to more than just their commands. Or perhaps the telephone conference attendee who pauses to gather details from Alexa is giving the device more than just his or her own comments.

Executives may need to reconsider whether Amazon’s Alexa personal assistant is listening to more than just their commands. Or perhaps the telephone conference attendee who pauses to gather details from Alexa is giving the device more than just his or her own comments.

Privacy concerns over just how much information is received and stored by personal assistants are not new — but have now been quantified. An EU citizen, exercising his GDPR rights, asked Amazon for information on all his personal information held by the firm. What he received, two months later, was a link to a 100Mb zip file containing 1,700 Alexa audio files. He doesn’t own an Amazon Echo device and has never used the Alexa service; and it was not his voice that was recorded.

Strike 1 against Amazon for breaching the privacy of the true owner. Strike 2 comes with the detail of those recordings.

Forbes magazine set the scene in August 2018. Charles Radclyffe, a visiting fellow at the University of Bristol, wrote, “When you press the ‘mute’ button on an Amazon Echo, the top ring glows with a red indicator to confirm that Alexa is no longer listening. It’s elegant, simple, but disguises a very deep design problem. Alexa is designed to be always listening. The default is therefore for the microphone to be on, the light to be off.”

This is confirmed by the recordings received by the EU citizen. He reportedly contacted Amazon, but received no reply. The link to the downloadable file became inactive — but he had already downloaded it. He shared his story and the files with c’t magazine, part of the Heise group.

c’t magazine examined the files to see if they could determine the true owner of the recordings. They succeeded. But in doing so, they also discovered the amount of data stored by Alexa. They discovered the ‘victim’ of the Amazon error had a girlfriend, and were able to identify her. They heard the surname of a friend who they identified via social media, giving them a view of his wider circle of friends. They even heard him in the shower.

When the magazine contacted this person, he was shocked — and confirmed that he had heard nothing from Amazon even though the original recipient of the files had reported the error. Neither party heard anything from Amazon until three days after c’t magazine contacted it.

Amazon subsequently told Reuters, “This unfortunate case was the result of a human error and an isolated single case. We resolved the issue with the two customers involved and took measures to further optimize our processes. As a precautionary measure we contacted the relevant authorities.”

Advertisement. Scroll to continue reading.

Unfortunately, this is not the first privacy incident involving Alexa. In May 2018, the KIRO 7 news service reported another incident: Alexa recorded and sent a private conversation between a couple to one of the husband’s employees. The employee immediately called back and told them to unplug their Alexa devices, fearing they had been hacked.

Amazon’s explanation was that Alexa first misinterpreted something in the conversation as a wake-up command, and then misinterpreted other comments as an instruction to send the recording to the employee. While this is possible, it does confirm that the use and location of Alexa devices — and any other personal assistant — should be carefully considered.

Earlier this year, Alexa was awarded the Bielefield, Germany, Big Brother ‘data octopus’ award. By design, it must always be listening in order to know when to act — these two incidents demonstrate that this listening can lead to privacy complications.

Related: Amazon Alexa Can Be Used for Snooping, Researchers Say 

Related: Siri, Alexa, Google Now Vulnerable to Ultrasound Attacks

Related: Amazon Echo, Google Home Vulnerable to BlueBorne Attacks 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.