back to article 'Alexa, listen in on my every word and send it all to a shady developer'

Amazon has shored up a security weakness in its technology to stop apps for Alexa-powered Echo personal assistants from secretly eavesdropping on folks. Alexa skills – software add-ons for the chatty voice-controlled assistant – could, once installed, have abused an Amazon-provided software development kit to continually …

  1. Anonymous Coward
    Paris Hilton


    There is so much we swore off, but it happened anyway, it's terrible we hate it but it happens.

    So just turn the microphone on and talk to the device, tell it your problems, scream at it your anger, chat with it all your joys and victories use it like a counselor or the friend you never had.

    Researchers will have a field day with all that data, but in the end they will have to recognise that there are real people out there, hurting, feely people, with real lives and they are sitting there listening to all that life and not living themselves.

    The AI will develop the same attitudes as everybody else has, prejudiced, bigoted, happy, sad, angry, defeated, passive aggressive explosion of life and will not need much more research of the same.

    As for your personal secrets, they were exposed by your closest personal friends gossiping rudely near their own voice activated devices and have given up all the juicy bits to who ever cared.

    1. Anonymous Coward
      Anonymous Coward

      Re: Onanism

      Hang in there. Puberty's rough.

      1. Anonymous Coward
        Anonymous Coward

        Re: Onanism

        Strange, I had the opposite reaction, that the OP was someone older say > 30

  2. vir

    We Did This

    "It's not a game. This is the world. It is not the one we were supposed to have, but it's the one we made. We did this. We did it with open eyes and willing hands. We broke it, and there is no putting it back together." - Jonathan Hickman, East of West

  3. Donn Bly

    Does anybody else notice...

    Does anybody else notice that the "blue ring" is still active in their video? That is the Echo's visual feedback that it is actively listening and recording. Anybody who has and uses one of these things knows that.

    Checkmarx press release makes it sound like they can remotely turn one of these things into a listening bug - but that just isn't the way it works. The skill has to be manually installed by the user, then has to be manually activated by the user, and THEN the "skill" can listen for 8 seconds for additional commands after performing whatever action the user requested of it. After the initial 8 seconds, the skill can issue a "re-prompt" (normally a "are you still there" type of question) to listen for an additional 8 seconds for additional commands. The skill doesn't listen for 16 uninterrupted seconds. The skill does not get raw ambient audio. The skill cannot be surreptitiously installed. Anybody who has the knowledge to enable the skill is going to know the visual feedback mechanisms.

    I can see amazon making the audio cue a required parameter instead of optional, but I certainly wouldn't classify the behavior as a security flaw - at least not any more of a security hole than you would expect from having a live microphone.

    1. Brenda McViking

      Re: Does anybody else notice...


      If I get people saying "oohoo, it might be listening in" when they see my echo dot, i remind them they're carrying a hackable-device with a microphone that is connected to the internet as well. It's a mobile phone. I don't much care. I live alone and don't talk to myself.

      notwithstanding the oblig xkcd issue of course...

      1. Rich 11 Silver badge

        Re: Does anybody else notice...

        I live alone and don't talk to myself.

        I live alone and do talk to myself.

        Very occasionally, someone will answer.

      2. handleoclast

        Re: Does anybody else notice...

        I live alone and don't talk to myself.

        I live alone and talk to the next-door neighbour's cats that drop in to play with me.

        1. Tikimon

          Re: Does anybody else notice...

          I live with my wife and talk to myself anyway. Occasionally I have furious rows with myself and might not speak to me for hours. Bastard.

          1. onefang

            Re: Does anybody else notice...

            Talking to myself is often the only way to get intelligent conversation.

      3. allthecoolshortnamesweretaken

        Re: Does anybody else notice...

        "[...] i remind them they're carrying a hackable-device with a microphone that is connected to the internet as well."

        I don't. Life without a shinyphone still is remarkable possible.

  4. Steve Davies 3 Silver badge

    The real reason is...

    that Bezos and his crew want it all for themselves and won't share it without lots of filthy lucre coming their way.

    1. Graham Cobb

      Re: The real reason is...

      There is some truth in that. That is part of the reason why I trust Amazon a little more than some other spyware vendors.

      The main reason is that they want you to have Alexa to make it easy to sell you stuff. They have a very strong interest in not doing anything (or, more importantly, not letting anyone else do anything) that makes it likely you realise how bad an idea it is to have their spy in the house. So they will focus on things to make you (i) find Alexa useful and (ii) buy stuff.

      That means I expect them to do nasty things that help them find out more about you, to target ads, offers and pricing. However, they are not very likely to allow third parties to abuse the device.

      Of course, saying I trust them a little more than others doesn't mean much. I certainly won't have one of their devices in the house, but I don't refuse to visit my brother-in-law who has one, which I might for other devices.

  5. Pascal Monett Silver badge

    Skills ?

    Could we please stop affecting human-like attributes to anything in the IT industry ?

    Computers don't have skills, they have programs or add-ons with specific functionality.

    Stop trying to confuse a lump of plastic and silicon with a thought-enabled being.

    1. Boothy

      Re: Skills ?



      n. Proficiency, facility, or dexterity that is acquired or developed through training or experience. See Synonyms at ability.

      n. An art, trade, or technique, particularly one requiring use of the hands or body.

      n. A developed talent or ability: writing skills.

      None of these definitions seem to fit the usage here. These are programs, or 'apps', nothing at all to do with skills!

      1. Donn Bly

        Re: Skills ?

        The words "program" and "application", when first used in context of computing resources, had absolutely nothing to do with the meanings which you now impart upon them. Using your own logic, those words shouldn't have ever been used either.

        In this case, Amazon has probably chosen "skill" instead of program and application (or "app") to differentiate them, because they are neither programs NOR applications. You CANNOT install any third party software on an echo.

        That is one of the reasons why Amazon uses the word "Enable" instead of "Install" -- because unlike a phone or computer you can't install anything.

        What an echo skill does is extend the abilities of the echo by applying a filter to the translated text stream and proxying it off to a another server for processing. It is trivial really. In the industry we would probably call them "plugins" or "processing rules" but the reality is that most of the product's target demographic thinks that a "plugin" is a air freshener made by Glade but DOES understand "skill". A "developed talent or ability" does in fact fit what they are trying to accomplish, even reinforcing the perceived anthropomorphic characteristics of the device that they are trying to market.

    2. allthecoolshortnamesweretaken

      Re: Skills ?

      What about "mad skillz", then?

      (Mine's the one with the - oh never mind, I must have left it at home. I'll sort it out myself. Sorry to bother you.)

  6. John Smith 19 Gold badge

    Here's the thing. Once you put the hook for this in what it's used for is a policy decision.

    History shows giving any information out to a large organization can (and often will) be abused by someone.

  7. Kane Silver badge

    That's not a bug...

    ...that's a feature!

  8. Jtom

    Well, first, if this is happening with my Echos, I'll take the bullet for you. If they listen in on me, they will be wasting their time and money, which leaves them less of both to monitor others. I'm a very boring person and am planning nothing illegal.

    Secondly, my guess is they would use personal info for customizing advertising. So, just out of curiosity, a couple of times a week I say, "We need to get some septic tank cleaner." So far, I've seen no ads for such a product. We won't be shopping for it, either, since we don't have a septic tank. If I ever do see such an ad, the Echos will be terminated with extreme prejudice.

  9. Tim99 Silver badge

    You haven't seen adverts for septic tank cleaner because the Echos know that you don't have a septic tank? Or, maybe they think that you are terrorist serial killers who need the cleaner to dispose of bits of bodies, and are getting more evidence before contacting the authorities?

    I used the "Joke Alert" instead of "Big Brother" icon >>===>

  10. jelabarre59 Silver badge


    Somehow I can only expect these Alexia/Google/Cortana devices to work about as well as this:

  11. Fruit and Nutcase Silver badge

    I'm Frasier Crane And I'm Listening

    Time to rename Alexa?

  12. allthecoolshortnamesweretaken

    "Describe in single words only the good things that come into your mind about... your mother."

  13. Anonymous Coward
    Anonymous Coward

    If I tell Alexa to self destruct, will it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020