Sales of smart speaker Amazon Alexa are skyrocketing. During 2017 in Germany they hit 1.5 million and in the UK 2.8 million. That’s a lot of smart, talking speakers and 2018 is set to bring even higher sales figures.

But inevitably as smart speakers become more commonplace, security researchers are doing their software thing, poking and prodding to find flaws, because that’s what researchers do. It’s also what hackers do.

Last year a group of researchers revealed how some models of Amazon Echo could be turned into a covert listening device by remotely turning one on after an owner had turned it off.

Secret conversations

This time around researchers have revealed that it’s possible to hack Alexa so it can secretly record conversations and then send transcripts of these conversations to a third-party website.

Just for clarification Echo is the speaker brand and Alexa the voice-controlled intelligent personal assistant service which sits inside it.

How does the hack work?

  • ‘Alexa Skills’ apps are available in the Amazon store. They range from business and finance to shopping and weather skills apps. These skills apps augment Alexa’s basic voice activated functions. 
  • Researchers demonstrated that a calculator skills app could be used to silently prompt Alexa to remain on when a user has finished using the calculator. 
  • As a result a secret voice session actually records all the conversations taking place around the smart speaker. 
  • By default, Alexa should end a voice session when the interaction has ended other than when a user requests that the voice session to remain open. 
  • Sharp-eyed Alexa owners could spot the intrusion if they noticed the blue light on Echo is still on even after chit chat has stopped.

How did Amazon respond?

  • It did the right thing and a bit more. The researchers notified Amazon and the company responded by regularly scanning apps for silent prompts that listen for unusual lengths of time. And in the spirit of protecting customers it if finds such hidden functionality the app is given the immediate boot from its store.

So all is well in the interactive world of Amazon smart devices?

  • We’d like to think so. But we wouldn’t put the house, flat or tent in the park on it. Amazon has a good track record of responding to flaws but researchers also have a good track record of finding vulnerabilities 
  • That said some of the methods used to create these hacks are so challenging it would be easier to scale a drainpipe, clamber through a window, gouge a hole in the ceiling and plant a covert listening device in someone’s home. And all why the occupants are watching TV downstairs.

Great, we’re all as safe as bunnies in a warren?

  • Not quite. Amazon does all it can to safeguard its corporate behemoth reputation but there are myriad shoals of smaller minnows releasing insecure smart devices with all the caution of Donald Trump issuing his Twitter missives. 
  • Amazon may be big on the smart speaker scene but these smaller players often don’t give security a second thought. They just want to get in on the party. And some of these insecure devices are incredibly popular like baby monitors, smart cameras, smart TVs and gasp, smart locks and windows.

Should we just ignore the smart revolution then?

  • How can we? Smart devices are set to become as ubiquitous as desktop computers multiplied by 10,000 and more.
  • To stay safe, and we’ve been working up to this, we need something like Dojo by BullGuard.
  • We won’t go into the details because you can find out more here. But suffice to say the security technology in Dojo is what you would find in a large corporate organisation that deploys the very best in security technologies to safeguard its sensitive data. Except Dojo is for the home. Smart home protection doesn’t get any bigger or better.