• Can Alexa be used to spy?

    On May 24, 2018, Portland, Oregon local TV station Kiro 7 reported that an Amazon Alexa device recorded a private conversation, then sent it out to a random contact. Amazon confirmed the incident, and attributed it to an “unlikely” string of events that caused Alexa to mistakingly interpret background sounds as commands. In other words, this was not Alexa spying, but rather a technical glitch.

    But can Alexa be used to spy? Yes. In his blog, UK-based MWR Labs researcher Mark Barnes detailed how to turn an Amazon Echo into a “wiretap” without showing signs of tamper. Barns was able to write his own software to the Echo, and use a script to continuously stream raw microphone audio to a remote service, while keeping the normal functionality of the Echo.

    Actually, your Amazon Echo may not be the only device that spy on you. Your smart TV may be spying on you already without the help of a hacker. Smart TVs from multiple vendors were found to be snooping on you through the TV’s microphone or builtin video camera. In fact, Samsung even tells you “be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

    What can you do? ZDNet suggested that you should turn off smart interactivity. Depending on the vendor, that may or may not work. If you are more worried about security than the inconvenience of the TV’s lost Internet connectivity, you can completely block Internet access for the TV on your router.

    If you use the pcWRT router, there are three ways to help you out:

    1. Control what URLs or domains the device can connect to.
      Unless you use the smart device as a browser (which we suggest against), there are only a few domains that it needs connectivity to. We suggest that you put the device in a profile with white list access control, and list only the domains it needs access to.

      For example, if you limit your Echo’s connectivity to Amazon domains only, it won’t be able to send data to a hacker’s server even if the Echo has been hacked.

      Another example, if you want to use your Samsung smart TV to watch Netflix but are worried about Samsung snooping, you can restrict the Samsung smart TV to Netflix domains only. The TV’s Samsung connections will be blocked but you can still enjoy your Netflix movies.

    2. Monitor what domains your smart device has been connecting to.
      Using access control logging, you can see what domains your smart device has been connecting to, how frequent, over what port, using what protocol. You can also see the amount of failed attempts to connect out that were blocked by the router.
    3. Monitor how much data your smart device has been uploading or downloading.
      You can use the bandwidth monitor to see the amount of data that has been uploaded or downloaded. The bandwidth consumption should be low when the smart TV is turned off, or when you are not giving commands to Alexa.

Leave a Reply