And yes, I work on this stuff. Neither Google nor Amazon have the hardware limitations you suggest.
Echo devices only begin recording if they think they hear the wake word. Obviously this is less than straight-forward, hence the recordings that didn't follow the wake word (just examples of an Alexa device incorrectly thinking it heard it).
To suggest that a serial root console is a point of attack for an Echo device is bordering on insanity. You'd need a breakout board connected via the USB interface (not port, mind you) in order for this work-around to be effective. So yes, if a hacker had physical access to your device, time enough to solder on a breakout board, said third-party could record a variety of things.
But then, it's a whole hell of a lot easier to just install a mic in someones house and get the same effect, now wouldn't it?
That was not what he said. He argues that Amazon/Google could remotely use a similar exploit (without direct access to the hardware) to start recording without lighting up the LED.
Please, feel free to explain how Amazon and Google could exploit that vulnerability (that has since been patched)? More importantly, I'd love to hear how they are going to pull this off and hide it, given network traffic will be a dead give away?
If what your suggesting is actually what he meant, that's even more absurd than attackers trying to do the same.
A simple disclosure would have lent your comments more credibility.