I may have posted this same sentiment on the other threads on this topic so please feel free to ignore.
I see some confusion as to why anybody would want these devices in the houses whatsoever and would like to offer an answer:
Quadriplegia.
Imagine walking into your house one day and all of the keys had been taken off your keyboard, every light switch is smooth, all of the doorknobs have disappeared, the controls on your stereo have disappeared and every other switch, lever and/or physical method of interacting with your devices had disappeared. That was what it was like to be me as a quadriplegic Geek.
Then came the Amazon Echo and its ilk. The Echo coupled with Home Assistant[1] has absolutely revolutionised my life and enabled me to do all of the things above that I wasn't able to do before. It's a pretty compelling reason for me.
Am I worried about my privacy? Absolutely. Am I any more worried about the Amazon Echo than I am about the microphone in my iPhone, television, MacBook Pro, iMac and weirdly my fridge? Nope.
As others have pointed out it's a trade-off, I could be completely private and not be able to do anything or I could accept this somewhat Faustian bargain and be able to control almost every aspect of my house. Crappy situation to be in, but there is.
There are a few open source alternatives coming through which keep everything within the wire, but until they get traction enough to be out interact with all my other devices I can't use them. Which sucks.
Anyway, hopefully this comment was helpful and am available to answer questions on any topic other than physics. I'm rubbish at physics. :-)
I really hate the "why would anyone want this?!?" argument as well. I am not quadriplegic, but I absolutely want the functionality it provides.
That being said: No fucking way am I putting a closed-source, black-box, always-listening device in my house. A lot of the current home-automation concepts are amazing, but we keep implementing them in the shittiest way possible.
We really need better open, secure, upgradeable, hackable, adjustable systems for it to really take off.
I want these devices for their simple convenience...
My teenage children often leave lights on in the basement of my home. "Alexa, turn off the basement lights".
I'm also slightly afraid of heights, so I've considered installing smart LED's in the can lights in the eves of my roof. "Alexa, turn the house red."
Sometimes I get hot or cold after I've already gone to bed and I don't want to walk to the thermostat to see if someone has adjusted it. "Alexa, set the temperature to 70 degrees."
I worry about the loss of privacy but the day to day convenience is also pretty compelling.
with all the info available about rampant blanket NSA spying/access, and the content of most privacy policies, the basic operating procedure anymore should be to assume that all devices are pwned.
if you're cool sprinkling always-on microphones around your house for convenience, more power to you.
> You probably carry a microphone almost everywhere you go.
That's projection; some of us value an expectation of privacy more than minor conveniences.
> it can certainly be made to do so
Except that isn't the intended purpose of the device. You still have an expectation of privacy. When you normalize an expectation that you might
be recorded by 3rd party devices, the 4th Amendment longer applies[1].
This isn't about technology, "targeted advertising", or the NSA. Blinded by shiny baubles and a handful of not-strictly-necessary conveniences, you're normalizing social expectations to accept regular automated recording the "details of a private home that would previously have been unknowable without physical intrusion"[2].
Defending internet microphones because they are convenient isn't useful or convincing. Lots of things sound good when you only consider the benefits.
It is of course a trade-off. However having accepted one, doesn't mean I should accept the other. I still prefer to have one potentially listening microphone around, than have two.
The annoying things is that all the use cases you just described could be handled locally (over wifi/home-nework) without Alexa being connected to the wider web.
This is all I want; give me the option to not have the assistant connect to the web but still work in a more limited capacity for home automation and to interact with the local files/programs on the computers in my home.
I was under the impression that aside from a limited realm like the wake word, it's Hard to do voice recognition without centralized processing. Some combination of faster CPU (even with network latency detracting), whatever storage requirements there are for samples or fingerprints of every possible phoneme, 0-day neologisms (okay, strictly home automation wouldn't need that part), etc. etc. etc.
>My teenage children often leave lights on in the basement of my home. "Alexa, turn off the basement lights".
I feel that this solution is in every respect markedly inferior to "Kids, turn off the basement lights." You spend more money, your house is bugged, and your kids don't learn.
Most manufacturers also have a phone app. I use Phillips Hue light-bulbs, and they're OK. Sure, there are still privacy implications (NSA can tell if I'm home or not), but not as bad as having a bunch of microphones. My daughter can also control the lights with her tablet.
Main downside: it's annoying to unlock phone, open the Hue app (which is oddly sluggish), wait for it to connect to the hub, then control a device. You can also write your own tools, for example, if you want to turn off lights when there are no mobile devices connected to the wifi (i.e. no one home).
Otherwise I agree that those voice devices have big advantages for people with a disability, elderly, etc. I can't help thinking of old "clap on, clap off" ads from the 80s.
This makes a lot of sense, but there are only so many people with these kinds of injuries, and Amazon is marketing far beyond it. It’s just s pity thst help to someone in your circumstances always seems to be a side-effect or afterthought, rather than the initial goal. It makes me think a bit of how restaurants have moved to accommodate the many people who claim various, spurious forms of gluten/wheat issues other than actual Celiac disease. If you have Celiac, your horizon has expanded, but only because of a separate group of loud and gullible people.
Tell me about it, I have money too! You make the products and I will buy them, as will other disabled people. It's a huge untapped market, it really is and only Apple seems to be paying even the slightest attention.
I'm available for very expensive opinions by the way! :-)
Sorry, I didn't actually address your point in my rush to be sarcastic. Mea culpa, mea maxima culpa.
You are absolutely correct and I think that quadriplegics can be used as a kind of Patient Zero for accessibility purposes, in that if you can make a widget/service/application/building that a quadriplegic can successfully use then all those other people you mentioned will probably be able to as well.
It means you have to solve one problem involving extreme disability, rather than taking each disability, infirmity, and just plain old being old as discrete and individual problems.
I used to work for a healthcare software company, we dealt with this a lot. In fact, it was probably our primary focus.
The problem with the sick, injured, and elderly is that they are all disabled in very different ways. Someone with a spinal injury will be operate completely differently than someone with a stroke. You'll put a control on the left side of the screen which will impact anyone who can't use their left hand. Then you'll move it to the bottom of the screen, but that will impact people with peripheral vision issues or dementia. Many solutions that work for one set of disabilities are mutually exclusive to other disabilities.
Color blindness and issues with sight are very difficult to get right (avoid blue... and red... and green...). Everything has to be big and bold and high contrast; your important call-to-action will be the same size as the link to your terms and conditions.
We built an app that required people with diabetes to take pictures of their feet. Ironically, when we went to trial, none of the patients were able to take pictures of their feet. People who suffer from diabetes tend to be a bit larger, and yeah... they can't really bend over or pickup their feet.
You can't build one app for everyone, you have to build 3 or 4 different versions that offer tailored features depending on the disabilities of that group. You need a design team that is accessibility focused, otherwise your developers are going to get a flat PNG of designs and have no idea how to implement the workflows for accessible users. It's incredibly expensive and you need talented people.
I say all this not to stop anyone from doing accessibility focused work, but just to give reasons why many companies a) do a shit job of it and b) don't spend much time on it. The sad reality is that many disabled people don't have expendable income, so they aren't really the focus of business efforts. The only reason I got to experience all of this work was because the government was directly funding our efforts.
Hi, I guess I really didn't articulate my point very well at all, sorry about that.
I think I was trying to articulate that solving one disability problem for one type of disability almost always has applications for people with other types of disabilities, a very simple example is ramps and widening doors for people in big wheelchairs. That wider door and ramp can also be used by people with other disabilities.
As you quite rightly point out there are no panaceas, there is no one application to suit everybody; that would be impractical. What companies could do more of is open up their API's so that people can solve their own problems, that way if the widget you've just bought doesn't quite fit your disability but has an open API the option exists for you to tailor it to your needs. This is how I fly my Parrot drone, it wasn't designed to enable disabled people to use but they left a little space I could solve my problems. Obviously not everyone has that ability, but with an open API other companies could create products and solutions for existing products and services.
I'm not sure I agree with you about the disposable income part of your argument, if we can work a big enough scale we can make things affordable. But to get there we need companies to spend a lot of money on as you quite rightly pointed out talent, time and treasure. And unfortunately only Apple seems to be even slightly moving in the right direction.
Also in the UK we have the NHS who has enormous purchasing power and would be totally willing to pay for low-cost devices that solve particular disability problems, that way those people don't take up expensive hospital beds. At the moment, it needs a giant amount of investment and as you also pointed out that's probably going to be governments if it's done at all.
Leaving debug pads is not a vulnerability that most people care about. Expecting physical tamper resistance is unnecessary for regular appliances.
Even if the debug pads weren't available, one could replace the flash, or use a scanning electron microscope to modify bits in the main microprocessor. This isn't a smart card.
Here's a vulnerability that almost every device has: an attacker with physical access can replace the device with an identical looking device. The new device might even have explosives!
I don't get the fear mongering. It seems infinitely more likely my computer is compromised than some single purpose device that doesn't load code from third party developers or visit random web pages.
If we're expecting that Apple/Google/Amazon/Microsoft are the people attacking us then they have easier ways. If we expect it's outsiders then how do they even get to my Alexa?
I agree with you. This hack requires physical access and is fairly complicated. It's probably much easier to walk into someone's house and drop a tiny wireless microphone somewhere hidden.
They raise the issue of having Alexa devices in semi-private places like hotel rooms[0].
I think people have an expectation of privacy in a hotel room. And I assume major hotels have security measures in place to catch consumer-level eavesdropping devices.
Rooting an Alexa device in this manner seems like something that could easily be done by a prankster requiring no specialized equipment.
Has anyone stayed in Wynn hotel in Vegas? Are the alexa devices just out in the open or built into the room somehow that might easily show tampering? Or, maybe they have only the latest version with the debug pads disabled?
"The $foo is vulnerable to a physical attack that allows an attacker to gain a root shell..."
This is true for nearly any device, including your cell phone, your MacBook, etc, etc, ad nauseam.
And every time these devices come up there's so many comments on how they would never have one in their home, ostensibly because "it's always listening".
This is sickeningly naive in my opinion. Any device with a microphone is capable of the same thing. You shouldn't be trusting your phone any more than an Alexa device.
Sickeningly naive is a good description. Especially on technology forums.
It's like the recurring conspiracy theory about the Facebook app literally listening to people's conversations -- if you're reasonably technical, you already understand how silly that is.
This is really cool (rooting devices is wonderful -- and they should all be open for home modifications!), but also not something that has any real effect on the average consumer.
Physical attacks are, in my opinion, uninteresting, because you may as well just plant an old fashioned bug.
Consumers should be wary of purchasing used devices like this generally. I am not, however, aware or any wide spread scams involving physical attacks on consumer electronics.
> Physical attacks are, in my opinion, uninteresting, because you may as well just plant an old fashioned bug.
The one benefit is the target is going to specifically locate this device in a location where it can hear them, and will relocate it appropriately if they move furniture, rooms, houses, etc. There's nothing physical to discover to tip them off.
It's a listening device disguised as a listening device. No need to hide, even though it's in plain sight.
But it'd be trivial for them to slip an extra bit of hardware, wire it to the existing mic and use that to do all the actions they wish. At the point where someone has physical access to the device the game is over.
This is not an attack - its an immutable law, if someone else has unrestricted physical access to your device, it's not your device anymore.
To be fair, planting a physical bug for longer-term surveillance is more difficult, because you need to worry about providing power to it, and about exfiltrating the data. A home assistant device, by its nature, has its owner ensuring both of those problems are solved for you.
Right, and you also need to worry about it being found. There's nothing physical about this hack that would tip off the owner that they have an (unauthorized) listening device in their home.
You still need to worry about it being found in the pure software case - there's far higher odds of me seeing some suspicious traffic than a small custom bit of RF gear inside. If someone's taking the thing apart and sees your physical extra bits, odds are they're doing so to dump the firmware, just like this guy... if they're not doing that, they're not necessarily skilled enough to spot whatever modifications you may have planted either. It really depends on the target though I suppose. Of course, at the point you have physical access, all bets are off, they could swap chips on the board with identically labeled ones which serve different functions - replace the firmware and signing with their own, etc. An essentially undetectable hardware modification.
1) I doubt most people are monitoring their home LAN traffic at all, let alone to the degree that would let them detect something odd here. Even if they are, there are ways around it -- like simply compressing and storing the extra voice data and only sending it out when someone makes a legit request to their Echo. Certainly that's more data, but the access pattern would make it easier to hide.
2) This hack doesn't require any (lasting) physical modification to the Echo. You connect to the debug pads on the bottom, do some stuff, disconnect, and you're done. So there are no physical extra bits to find.
But yeah, my point here was exactly #2 -- physically there is nothing in your home that was not there before. In the case of a dedicated bug, that's something physical that the target of surveillance could find and know that someone is messing with them.
But this is something you could get from your "friends", family, or even an employer as a "gift". Usually people would not install spy gear in their home, even if it was given to them for free. But give them hacked Echo...
Remember the Valut7 leaks contained an attack via USB on Samsung TVs. If you're targeted, an operative could infect your device in transit before it reaches you.
> The Amazon Echo does include a physical mute button that disables the microphone on the top of the device or can be turned off when sensitive information is being discussed (this is a hardwire mechanism and cannot be altered via software).
I would never have one of these devices in my home, and I'm surprised I see so many of them in homes of people who are in the tech industry. I wondered if people in security would have them and so I contacted one of my good friends who is a security expert. "What's an Alexa device?"
He's a Kiwi. Amazon hasn't made it to NZ yet. He's only seen them on TV shows.
Interestingly this article is nothing about what gets transmitted, but just hacking the device. It would be kinda cool if we started to see projects to turn Amazon devices into one of the open source variants like Jarvis.
I think like, with most things, it's all about the tradeoff.
I have one in my house in the living room. It basically exists to have an easy way of turning on Spotify. We don't have sensitive conversations in the living room. If someone were listening, they'd mostly get me scolding my children and asking what's for dinner. The might also steal a token to connect to Spotify. My AWS account isn't linked to the same account as my Alexa, and requires TFA, so that's safe.
I wouldn't put this device in my bedroom. I also was less interested when my kids were young enough that I might actually have a sensitive conversation anywhere. I'd considered putting one in my tv room to control the tv, but that's about it.
I don't regard the Alexa as a greater vulnerability to my house than my phone, and I already accept owning a smart phone. I am concerned about the same things you are, but I view it as more of a trade-off than a simple "just don't do it!" attitude.
Depending on who's listening (post-processing recordings in bulk) and your tone, scolding your children might get you a visit from the authorities if over-eager busibodies are listening.
Do you really think that's even in the realm of possibility? There is so much paranoia-driven FUD in these comments.
But let's say that yes, this absurd hypothetical is possible and happens.
Someone is capturing full audio from your device even though it allegedly only transmits when certain phrases are used (e.g., "Alexa..."). They've tunneled through your modem, router and AP and are capturing directly from your device.
That same someone is somehow able to process hours of ambient sounds, conversations and everything else to pick out someone using an inappropriate tone with their children.
They then take these recordings to a local child protection agency (e.g., CPS) and present the audio along with your information to develop an actionable case against you.
That child protection agency then decides your tone was strong enough that they need to pursue legal action.
How does this hold up in court? How does illegally-obtained audio stand as evidence? How are they able to prove it was you and not a relative or visitor?
It won't hold up; this is insane. Your point about the wrong tone being used against you is insane. I get being paranoid and not trusting these devices but get real!
> Someone is capturing full audio from your device even though it allegedly only transmits when certain phrases are used (e.g., "Alexa..."). They've tunneled through your modem, router and AP and are capturing directly from your device.
That's a ridiculous scenario.
How about, "Alexa itself transmits to the cloud. 10 years from now, a scanning service post-processes recordings using sentiment analysis and emotional state tracking now required by the new administration. State regulators have determined that parents should not talk to children in tones that fall into $this_band$. Regulations make Amazon responsible to report this to the authorities or face financial penalties."
Today, folks are being deported from this country after living here for a decade under the Dream Act. So, no, I don't put much stock in your assertion that things won't be applied retroactively or used to "forecast outcomes".
> Someone is capturing full audio from your device even though it allegedly only transmits when certain phrases are used (e.g., "Alexa..."). They've tunneled through your modem, router and AP and are capturing directly from your device.
It's not remotely out of line to discuss the implications of hijacking an Alexa in a discussion thread on an article that describes exactly how to hijack an Alexa. You don't have to sound incredulous about that part...
You're picking a piece out of my full response and adding context I didn't provide. I said the overall statement was absurd, not that capturing audio was.
Look at what prosecutors do today with internet history. They search through whatever they can find in the browser history of a supposedly guilty suspect, cherry pick anything remotely incriminating, and use it completely out of context to support whatever case they are trying to build. I don’t think it’s one bit far fetched or paranoid to see something similar happening if they could ever get access to a suspects indexed conversations.
You'd be surprised how crazy CPS is if you aren't wealthy and white. They don't actually seem to even need any "evidence" really.
I agree it seems unlikely, though, especially if you are relatively wealthy and white. (Also who is hacking into your system with this as their goal and how likely is that? On the other hand, in the age of swatting, anything seems possible.)
As we continue to advance universal surveillance though (self- and other-), I think we will start to see stuff like this happening more. It'll take a little while.
> Montgomery County police and county Children's Protective Services are jointly investigating the Meitivs of Silver Spring for allowing their children to walk repeatedly around the neighborhood alone. The parents say they know where their children are but are allowing them independence.
> Officers picked up the children about two blocks from home, Rafi said, telling them they would drop them off at home. Instead, the two sat in a patrol car for 2½ hours then were taken about 10 miles away to Children's Protective Services offices in Rockville, Md.
> You'd be surprised how crazy CPS is if you aren't wealthy and white.
When people say they have nothing to hide, they're also saying they have no abuse of power to confront, and nobody who is persecuted to stand with in solidarity. And for some reason, they think they're the standard, or that any of this is new. Look into history, with any totalitarian government, any oppressive king, you'll always find people going "doesn't affect me". It's as old, and as valuable, as dirt.
>You'd be surprised how crazy CPS is if you aren't wealthy and white.
Even then, I have some relatives (white and middle-class) that lived in an apartment. The people on the other side of the wall reported them for yelling at their kids. Fortunately for them they had a friend at the CPS who called them and told them that CPS was coming the next morning to take away their kids. So they packed up and moved out of state that night.
Yeah, good point, it's not limited to the white and not wealthy, but like everything else in society, the more resources you got, the more you can avoid them (and being white is indeed a resource in our society). But yeah, CPS is scary shit.
You have no experience with CPS, do you? There is no court involved at the beginning. They can just take your children away on their say so. Afterwards you will have to go though the courts to get them back.
I consider that a feature, not a bug - if mining data from always-on devices protected kids who were actually being abused, that would be a win. False positives can be tuned out.
I fail to see the connection. If Amazon began to analyze recordings to try and find real or even misconstrued abuse (presumably only after legislation required them to - I can't see a business case), they'd reasonably need to adjust what their algo flagged as a match. I'd be curious if Echo (or gHome, or Siri) do any sentiment analysis right now, they don't seem to (or cursing when they botch your command would at least produce more contrition).
> Although the Echo brings about questions of privacy with its 'always listening' microphones, many of us walk around with trackable microphones in our pockets without a second thought.
I guess you didn't give a second thought either (unless you don't have a phone?)
> I would never have one of these devices in my home, and I'm surprised I see so many of them in homes of people who are in the tech industry.
I'm sure you have a vastly more powerful and easier to compromise device in your pocket that you carry everywhere. I have an Echo and it's pretty good for what it does -- for the simple convenience I use it for it's worth it. I have it behind a firewall.
You're surprised that people in tech industry aren't afraid of technology? Because I'm in technology, I'm pretty comfortable with it. I know that most of this fear mongering is pretty baseless; I can review the traffic on my network to see nothing nefarious is happening.
> I see so many of them in homes of people who are in the tech industry.
I resisted having one until everyone in my house started turning on their "assistant"s...
I have 4 smartphones in my home, all with assistants running and listening continuously (plus guests' smartphones). It's no longer "it might be listening" but "we told it to listen".
I noticed after a few months of this that I kept forgetting there were devices listening on in the house (and sensing things).
Alexa, partly with its physical presence and partly with its frequent false positives, is an excellent reminder (to you but also to your house guests) that something(s) is listening in on you.
The next best one is Google's AIY Voice Kit where you can so very easily keep the red led button always-on.
Many of us carry around an internet-connected mic and GPS tracking device in our pockets all day, and seem to be ok with that. What's the additional problem with a standalone in-home device that does the same thing?
At the end of the day I'm trusting that Google/Sony won't start listening to everything that happens near my phone all the time. I'm trusting that when I leave my phone on my desk to charge, my co-workers won't tamper with it.
With something like an Echo, I'm similarly trusting Amazon not to listen in all the time. And to compromise it, you'd need to be in my home, physically messing with it for at minimum several minutes without my knowledge.
Correction: Amazon Australia, which ships some items to New Zealand, just launched literally a few days ago :)
I had a look at Alexa availability a few months back and while none ship here to the US, I'm sure there are those who import plus freight forwarding could get one. Just depends how keen you are really.
The thing with a microphone - yes; but definitely not with an always-on data connection. I only turn that on when I actually need it; same with GPS and wifi.
Yes, however that is far more limited scenario - it's much easier to notice that free space on my phone is disappearing. And that space is not limitless anyway, so after certain period of time it'd have to either drop old recordings or stop making new ones.
I have one. Do I like the privacy aspect? No. But my wife breastfeeds our baby for 3 hours a day and she needs music and audiobooks that she can control without using her hands. It's a simple trade off. My privacy is worth something but not infinitely valuable.
She likes holding him instead of fiddling with a remote. Overall the privacy issue is just not at the bottom but not anywhere near the top of our priorities.
Until you get a (targeted) firmware update that allows for just that. Even if there is no malicious intent now, can you be absolutely certain that that won't change? That there aren't or won't be any hidden keywords that will trigger recording / transmitting in silent mode?
If I were planning to use these devices for surveillance, I'd of course provide only the utility first while privacy-minded people are still skeptical and then turn on the surveillance gradually after these devices are deployed nearly everywhere, integrated into every-day life, and can't be (easily) removed anymore. [0]
The current version might have a hardware kill switch for the microphone. Will the next batch too? The batch after that? How many people will actually go out of their way to toggle that switch to be certain it isn't listening instead of believing it isn't in good faith, or worse, not even thinking about whether it might?
Perhaps these devices won't ever be used for mass surveillance, or perhaps this is the beginning of Telescreens as they're described in George Orwell's 1984. Both Amazon and Google make vast quantities of their income by excessively undermining privacy in favor of targeted advertising. I'd call it fairly naive to expect them to now build privacy-minded devices that have as much spying potential as the Echo and Dot have.
Obviously it would, however phones run on battery power and having the microphone always-on would drain the battery fast, which users would most certainly notice and also care about (more recharging, phone becomes unusable due to empty battery a lot faster).
Keeping the recent and current state of technology and where it is heading in mind, I think it's fair to say that consumers care a lot more about being able to use their phone than they care about that phone or the apps on the phone to collect data about them.
The parent comment suggested that these devices are already sending all of your conversations to Amazon. Which they are not. Of course the potential exists for devices to be compromised in the future, and that is something everyone should be aware of when putting one in your home.
I have seen more than one comment suggesting that Amazon currently stores everything it hears in passing on their servers. I have seen no evidence to suggest that is the case. Informing people on the potential risks is fine, but spreading FUD is not.
That's also a tradeoff I'm not willing to make. I could easily build her a system that lets her play music and podcasts by voice. However it would take tens of hours. That's time I'm simply not willing to divert from other areas to avoid a microphone in my living room. If it was a camera in my bedroom the calculus might be different.
> Anyway, pretty soon we'll have open source speech recognition, so I guess then you'll really have no excuses left.
What changes with an open source implementation? Your home-build device can be compromised as well, it needs mics as well. So, you'll gain nothing.
Are you questioning that Alexa/Echo works as advertised (waiting for a wake word) or are you not informed about how Alexa is supposed to work (out of the box, not compromised)?
Do you allow computers and cell phones? Or is there something special about a microphone when it's attached to something shaped like a hockey puck instead of a box?
I do not grant my phone permission to constantly use its microphone. Unless it is being tampered with, which is beyond my control, the microphone should only be in use when I enable it.
I physically remove the microphones and webcams in my laptops and use a USB microphone with a physical power switch. This is probably unnecessary as, by the same logic as my phone, nobody should have access to these peripherals unless I grant it. But it helps with paranoia. I don't like a camera and microphone pointed at my face constantly.
No way in hell would I buy a device where "always listening" is listed as a feature.
> I physically remove the microphones and webcams in my laptops and use a USB microphone with a physical power switch.
I say this not to belittle you or to minimize your feelings or experience, but you have to understand that, among the general population, your needs/wants here are in a very tiny minority. The number of people who do what you do is vanishingly small. The vast majority of people do not care, and those who do will often make a conscious decision that the trade-off is worth it. And that's ok! As long as you can continue to take care of your needs, and other people can take care of theirs, then all is well.
The same hack applies to your phone. So what? Keep it physically secure.
I find it laughable that folks may try to steal things from you with software once they have physically breached your house. At that point, they could just steal your wallet, your car, your Echo etc.
This also confused me when I saw it as well. I wasn't sure if the first echo was an April fool's joke or if they were serious.
I was even more confused when people actually started buying them. It's always startling when I go to a friend's house and Alexa gets triggered accidentally.
At the time it came out, voice triggered smart assistants had been available on phones for years, and computers for decades. All it did was put that feature in a different package.
Anecdote. I live by myself and rarely speak to myself. My office in the back has no alexa or any microphones - my phone stays out of this room. The rest of the apartment is generally silent. True - it may listen to what I'm watching on TV but the cable company already knows that?
Very useful so far and I'm not not paranoid...
Sorry this is late. I barely use her for anything. But there is a difference between typing out a request and something being on the top of your head/the tip of your tongue.
‘Play the marriage of figaro! Play the charge of the light brigade. Play Run DMC. Play Irish music.
What is the temperature outside. What’s the time.’
It completely baffles me as well, It is hard to be a bigger complete and utter tool than invite this into the home. Not least because it does NOTHING you actually need. Just a privacy miner that you pay hard cash for. Amazon is laughing.
Seriously as others have pointed out thats NOTHING. Anyone can do this to pretty much any device, I did that to my ISP's router even and don't feel its any less secure because of it. Its an interesting hack but its not proof of any insecurity of Alexa.
I don't think its such a good idea to over-dramatize these things for personal gain (like the author) because it hurts the security researcher community as a whole. I've already lost ANY trust of any security guys talking about the end of the world vulnerability they found, 99% of the time its bullshit like this. But I can read their disclosure and quickly discern whats irrelevant, I can imagine most non-IT people not able to do this and thus becoming MUCH more desensitized to ACTUAL vulnerabilities. Yet another boy who cried wolf security guy, they should've published this as "how to root your alexa" that would've been actually cool, this is just garbage.
I recently got a Google Home, and I've been thinking about how to potentially build a "is-the-microphone-actually-recording?" device. A basic one should be possible just by watching the power draw, but that would probably trigger if it decides to download a firmware update or whatever too. I expect this has been done before?
Of course it's listening, at all times. Otherwise it would not be able to react to the trigger phrase. What is interesting is whether it sends this data anywhere, and that is probably impossible to ascertain, since it could store it for a while and tunnel it out with innocent looking traffic.
It would be interesting if it could be determined if it stores the passively obtained data at all. If one could monitor writes to memory while in passive state it might give a clue.
I think I might be one of the few people in this thread who now want to buy an echo specifically to root it and play with possibility connecting it to my own servers...
I solve the sensitive conversation problem by having my device hit an IFTTT task to disconnect itself from the lan. Then I have another task to turn it back on.
I'll worry about this when I need to worry about someone breaking into my home and finding a reason to modify electronic devices utilizing the debug ports on stationary products.
I also don't take myself so seriously when I don't find a need to.
I see some confusion as to why anybody would want these devices in the houses whatsoever and would like to offer an answer:
Quadriplegia.
Imagine walking into your house one day and all of the keys had been taken off your keyboard, every light switch is smooth, all of the doorknobs have disappeared, the controls on your stereo have disappeared and every other switch, lever and/or physical method of interacting with your devices had disappeared. That was what it was like to be me as a quadriplegic Geek.
Then came the Amazon Echo and its ilk. The Echo coupled with Home Assistant[1] has absolutely revolutionised my life and enabled me to do all of the things above that I wasn't able to do before. It's a pretty compelling reason for me.
Am I worried about my privacy? Absolutely. Am I any more worried about the Amazon Echo than I am about the microphone in my iPhone, television, MacBook Pro, iMac and weirdly my fridge? Nope.
As others have pointed out it's a trade-off, I could be completely private and not be able to do anything or I could accept this somewhat Faustian bargain and be able to control almost every aspect of my house. Crappy situation to be in, but there is.
There are a few open source alternatives coming through which keep everything within the wire, but until they get traction enough to be out interact with all my other devices I can't use them. Which sucks.
Anyway, hopefully this comment was helpful and am available to answer questions on any topic other than physics. I'm rubbish at physics. :-)
[1]: https://home-assistant.io/