On Thursday 24 May, a family from Oregon, US, contacted Amazon indicating that their Echo device accidently recorded a private conversation in their home and then sent the audio file to a random contact in the digital address book. The family stated that every room in their house was wired with Amazon Echo devices, used to control everything from heating and lights, to the home security system.
Danielle, one of the family members who wished to remain anonymous, described her interaction with the Amazon customer care team: “They said ‘our engineers went through your logs, and they saw exactly what you told us, they saw exactly what you said happened, and we’re sorry.’ He apologised like 15 times in a matter of 30 minutes and he said we really appreciate you bringing this to our attention, this is something we need to fix.”
Later that day, Amazon explained in a press statement to CNBC: “Echo woke up due to a word in background conversation sounding like ‘Alexa.’ Then, the subsequent conversation was heard as a ‘send message’ request. At which point, Alexa said out loud ‘To whom?’ At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, ‘[contact name], right?’ Alexa then interpreted background conversation as ‘right’. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
According to market research group eMarketer, more than 60 million US consumers will use a smart speaker at least once a month in 2018, and more than 40 million of these will be using Amazon devices.
The incident highlights certain risks that either inadvertent software bugs or intentional hacks pose regarding privacy. Last year, a Google Home Mini speaker glitch was discovered that allowed the device to constantly record audio, despite not being activated.
The Amazon Echo error’s impact on Alexa for Business
At first glance, a single instance of such an error may not seem too disastrous for Amazon. But with the company encouraging global businesses to incorporate Alexa for Business as the primary tool for ‘intelligent assistance’, which can unify work calendars, improve searches for information and simplify conference calling, Amazon will have to address this issue rapidly in order to avoid cases that could lead to more serious breaches of security at great cost to the company.
Some manufacturers have responded to privacy concerns by creating devices to include physical switches that turn off cameras, microphones and other sensors.
Cyber security company Cy-OT chief executive officer Natan Bandler tells Verdict: “Organisations need a solution that can monitor this traffic and easily identify when there is a peak in the volume of traffic due to a device becoming a surveillance device. But, not only that; this solution must continuously monitor and analyse ALL the smart connected devices in an organisation’s airspace, identify threats and vulnerabilities from these connected devices and prevent these attacks in real time.”
“This is a great example of why organisations need a security mechanism in place that monitors all wireless activity and all IoT devices–many of which are not necessarily known to the company or not necessarily connected to the internal network but still can do a lot of damage.”
Synopsys solutions management director Ofer Maor tells Verdict: “While many of the commands we use with Echo, Alexa, Siri, and similar devices may not have a real impact of being hacked, the more we integrate these devices with our smart homes, the more such attacks may become an issue. For instance, we see more and more ‘smart locks offering voice integration with commands such as ‘Alexa, open the door’. While the convenience factor here is clear, being able to send such embedded commands could allow us to open the door or a gate or any other sort of mechanism designed to deter intruders.”
The Federal Communications Commission (FCC) states: “The Amazon Echo and its related accessories like the adapter (the “Products”) comply with part 15 of the FCC Rules. Operation of each Product is subject to the following two conditions: (1) such Product may not cause harmful interference, and (2) such Product must accept any interference received, including interference that may cause undesired operation.”
It is likely that Amazon will need to redress this fault in order to comply with the FCC’s rules, particularly the second part of subsection two.
3 Things That Will Change the World Today
“We are likely to see further data breaches and orders placed in error by virtual personal assistants such as Amazon Echo,” concluded GlobalData Digital Retail lead analyst Andreas Olah.
“Retailers need to give customers better control over the commands used for interaction with these devices and the way how orders are confirmed to gain their trust and avoid hefty GDPR-era fines for negligence and insufficient data protection.”