The latest bug uncovered in Amazon’s Echo which allowed hackers to listen in to the speaker, a privilege which until recently, most speculated was only granted to Amazon… and the NSA of course.

According to The Telegraph, researchers had found way to make the the Echo Speakers continue listening long after they should have been switched off. Amazon countered that this would not allow the recordings to be passed to hackers, but would have stayed with Amazon itself.

The way the Amazon Echo speakers work is they listen for the word “Alexa” before completing a command, like “Alexa, read tell me today’s news”. Any interaction with Alexa is recorded to improve the service, but once the command is finished, Alexa stops recording. At least on paper, because security researchers from Checkmarx developed an Alexa Skill that would keep Alexa listening long after it should have switched itself off and automatically transcribe what it hears for an attacker.

When an Alexa skill completes its task it is supposed to stop listening. However, sometimes Alexa doesn’t hear a command correctly, which will lead the Echo to ask for the user to repeat it. This “re-prompt” feature could be exploited, the researchers found, and be programmed to carry on listening, while muting Alexa’s responses.

The good news: Amazon has since addressed the flaw to better detect Skills which appear to be built for listening to users and automatically detecting long listening sessions by an Echo. Manipulating the Echo didn’t actually require any attacks on the Echo itself, only a Skill coded to exploit its current features. – READ MORE