Amazon Echo ‘Always Listening’ Feature Worries Security Experts
Even if Amazon Echo is secure, many Internet of Things devices are not. Some security experts are concerned about hacking, government access and who exactly is receiving all this consumer data. Everyone say 'Alexa.'
The Amazon Echo is a wireless connection point that provides news, weather, music and other forms of entertainment and information. It also allows you interface with various Internet of Things devices that are on your home network. It does all this magic through voice control.
By saying a key phrase Amazon calls a “wake word” the Echo comes to life and begins listening for commands. By default, the wake word is Alexa.
If you reread that last sentence it may not make sense, especially if you are in the security field. According to Amazon, the Echo only listens for commands once it hears its wake word. How does it know when you have said the wake word if it wasn’t already listening?
“What Amazon created was a gateway to its ecosystem with the Fire and Kindle,” says Joel Bilheimer of Pershing Technologies. “The Echo is an extension of that.”
Data Is the New Currency
According to Bilheimer, the thing most people don’t grasp about IoT is the Information Economy.
“Echo provides an API for cotroling other IoT devices with your voice,” adds Robert Graham of Errata Security. “It’s this feature that will make IoT in the home really popular — being able to control all the other devices in your home with simple voice commands.”
In the Amazon Echo world, those connections are known as “Skills” and there are quite a few. As of this writing, Amazon lists over 200 skills. These range from giving the Echo a “sassy attitude” to playing games. Other skills allow you to connect to banking, make purchases on Amazon and connect to other IoT devices.
“This is the big security concern,” adds Graham, “Even if the Echo is secure, many IoT devices are not.”
As we connect our clients’ Amazon Echos to other various devices, we need to verify the security of those devices. What exactly are these things asking about us, our environment and our security? As we provide more and more data to these devices, they are learning more about us even without us giving them that information.
“Everyone uses the phrase 'knowledge economy.' Knowledge — and data — are currency now. You think you are getting these services for free but you are paying for them with data about you,” says Bilheimer.
Except you’re not only paying for them with data; these devices cost actual money. So are we paying to provide Amazon, and services like Echo, data about ourselves?
In a way, yes. Whether it is a smart thermostat that monitors when we are home, occupancy sensors, smart locks or a talking (and listening) device, all of these IoT things know more about us than we most likely know about ourselves. They aren’t biased. They are just taking in data.
“These devices are loss leaders, much like when Best Buy first sold CDs,” says Bilheimer, “They are designed to get you in the store,” where you'll then spend money, or in this case, provide data.
Amazon has not released how much an Echo costs to manufacture. However, if it is similar to the company's Kindle and Fire products, Amazon will sell it for less than it costs to produce. According to some estimates, a Fire sells for $199 and costs $204 to produce. As Amazon introduces the idea of voice control and the ubiquitous digital assistant, it is able to gather more information about us as we chat away with our Echos.
Could Amazon Echo Be Hacked?
There is always a risk of being hacked with any online shopping website, but Amazon would not be in business very long if it did not take its security, and yours, seriously. But that doesn't mean the hackers don't exist.
“Cyber-bullies are just the reality of the world we live in,” says Bilheimer. "I would personally trust the big players who have lots of technical expertise in these areas to handle my personal data as opposed to a smaller player who doesn’t think they’ll get hacked.”
But then there's the “always on” feature. Amazon claims the Echo does not record conversations, or respond, until you say the wake phrase, "Alexa."
“The always listening feature is primarily a threat from the police, who could get a court order to secretly eavesdrop on you,” says Graham. “I doubt it’s a security concern from harm by hackers or harm by Amazon.”
Some reports state that Amazon isn't saying whether or not it has given government access to anyone’s Echo. Amazon's current report only has the data accessed to its cloud-based storage system.
However, in theory, a government agency could request to listen in, even before you say the wake word. According to 18 U.S. Code 2516, the Attorney General’s office can petition a federal judge to “intercept wire, oral or electronic communications.” Given the Echo is both electronic as well as oral, it is within this statute's purview.
It's Our Move, Really
As technology moves forward we are being asked, as both consumers and technologists, to decide between the functionality of the next whiz-bang gizmo and the security features we have come to expect.
“We need to empower ourselves and the next generation to make informed decisions about where that balance lies, but we have to acknowledge the reality of the inexorable march of technology,” says Bilheimer.
“I think my kids, when they grow up, will think of the iPhone 6 the way we think of flip phones,” Bilheimer continues. “Tools like the Echo are going to be so much more normal for them. IoT, smart houses [and] smart cars will be the norm, the standard.”
As with any push forward in technology, there will be, and should be, concerns for security and safety — both from nefarious actors as well as our own government. The likelihood of the Echo getting hacked from a criminal element is very small due to Amazon’s security measures. However, keeping abreast of the latest developments within the security and policing agencies is one way to make sure the devices you have in your, and your clients’, home align with your own level of comfort and transparency
Media outlets like CE Pro can file Freedom of Information acts to see exactly what sites and services the Justice Department and others are asking information from. Use this information to see which devices you spec, service and recommend. If you come across something that does not feel right for you and your clients, simply don’t use it until it comes in line with your company’s philosophy.
We're Looking for Your BEST Projects
Don’t miss your chance to enter to win a 2019 BEST Projects Award. We’ll be announcing winners at a special Gala event at CEDIA EXPO. We can’t wait to see what you’ve been up to this year! Enter your projects now.
Tim Albright, CTS, is the founder of AVNation. He holds a B.S. from Greenville College. Have a suggestion or a topic you want to read more about? Email Tim at firstname.lastname@example.org
Follow Tim on social media:
Networking & CablesProduct Briefs: MQA in new C4 OS; Doorbird, Snom; Guardian Protection Services Changes Name
EnGenius Smart Tri-Band Mesh Router Reaches Outdoor Spaces
HDBaseT Spec 3.0 Being Finalized; Supports 4K/60/4:4:4 up to 328 Feet
CE Pro Brand Analysis 2019: Familiar Brands Dominate the Market
PoE Verifier Tool From Ideal Networks Eliminates Installation Guesswork
View more on Networking & Cables