Is Your Amazon Alexa Spying On You?

While it’s true that voice-activated assistants like Amazon Alexa are intriguing uses of artificial intelligence with the potential to provide information and perform tasks efficiently, they also raise vital security and privacy questions. Is your Amazon Alexa spying on you? As Facebook’s recent controversy with its data access proved, our nation is currently facing an unprecedented crossroads as we work to balance the implications of our own inventions with our desire to control our personal information.

Checkmarx, a security firm that provides tools for developers to rest the security of their software before public release, proved that Amazon Alexa isn’t impervious to becoming swept up in the privacy debate. Using nothing more than the features given to developers, researchers at Checkmarx were able to turn Amazon Alexa into a spying device. Yes, you’re reading that right. It has been proven that Alexa can be hacked with relative ease to listen to your every word.

Amazon has since fixed the attack and put safeguards in place, but their updated coding cannot mitigate the larger point that Checkmarx just made: some of our most common household technologies can potentially be used against us to steal our personal information.


How Did Checkmarx Turn Amazon Alexa Into a Spying Device?

If you have an Alexa or other virtual assistant, then you are familiar with how it is supposed to work. Alexa “wakes up” and begins listening when it hears “Alexa” and then follows a limited script for the purpose of its activation. Alexa records the user’s interaction with the script and shuts down after executing the necessary tasks. All Checkmarx needed to do was modify the tightly controlled sequence to make Alexa record more than it should.

Checkmarx simply attached their hacking code to a standard Alexa app, like a calculator. The researchers then ensured that Alexa would continue listening, even when it would normally shut down, by preventing a “flag” to end the session. As long as that flag is open, Alexa will keep listening to the user. The researchers also identified how to have Alexa record every word and maintain a transcript.

The end result? Alexa wakes, launches a malicious app, gives the benign response that was requested by the user, and then remains active, listening and recording silently.


What Are the Implications for Alexa and Other virtual Assistants?

If you are a loyal Alexa user, there are a few components of reassurance, even though this entire episode is most definitely concerning. First, Checkmarx couldn’t disable the blue light that indicates when Alexa is active. Theoretically, if your Alexa was hacked and listening ten minutes after its last request, you could see the blue light and know something was wrong. The downside there is the minimal chance your Alexa is located somewhere that you look frequently. Most users keep Alexa stored out of site for convenience.

Furthermore, Checkmarx and Amazon have been working together since the hack occurred to make it more difficult for people with bad intentions to follow in Checkmarx’ footsteps. The Alexa app-certification process has also become more stringent to detect and reject all eavesdropping apps. Theoretically, anyway.

How to Protect Yourself

The technology is complex, but the solutions are still fairly simple. Place your Alexa or other virtual assistant in a place where the blue “active” light is immediately noticeable. If it remains on after your Alexa should have gone back to sleep, you’ll know to be suspicious. It will also help to keep yourself informed of technology blogs like this so that any new hacks are on your radar immediately.

If all else fails… unplug your Alexa and start doing the things the old-fashioned way again. We all survived without it before, right?