A blog Series on the risks associated with using “Internet of Things” smart devices by Michael Wangerin

What’s the worst that can happen if I get an Amazon Echo (Alexa)?

This is a question that will rapidly evolve over time. Amazon appears to continuously be developing new features for the product, as Farhad Manjoo reported to the New York Times. According to Manjoo, Alexa “learned” several new features during his three-week review period. This includes the ability to control a few additional smart home devices, integration with the Pandora music streaming service and the ability to query about traffic conditions.

More features are likely to continue arriving because Amazon has established the Alexa Fund. According to Amazon’s website the fund, “provides up to $100 million in venture capital funding to fuel voice technology innovation.” They have also released a series of APIs (application programming interfaces) which allow developers to create programs to interact with and provide services that integrate with Alexa. While that is quite common in technology, it means nefarious individuals or organizations could potentially build malware and/or exploits that attack or compromise the devices.

What Can Alexa Do?

Based on Alexa’s capabilities, the most serious potential risk appears to be potential financial loss or theft. Alexa comes configured by default with “purchase by voice” ON and “Voice purchasing Confirmation Code” set to OFF. Since Alexa does not have voice recognition yet, Alexa will respond to anyone who asks it to order a product. Even worse, Alexa will respond to your TV or radio if it hears the “wake” word.

Note: You cannot use a voice command to have Alexa cancel an order placed using “purchase by voice.” That action is only available on the Amazon web site or app. You can disable the “purchase by voice” feature or enable the “Voice purchasing Confirmation Code.” You can also require the use of a 4-digit PIN to confirm all voice purchases.

The Dollhouse Incident

A well-publicized incident involving 6-year-old Brooke Neitzel from Dallas, Texas demonstrates this risk. Brooke asked Alexa to order a dollhouse and cookies. Her parents were surprised when a $160 dollhouse and a 4-pound tin of sugar cookies arrived (Jennifer Earl, CBS News).

A number of viewers of CW6 TV in San Diego called the station to report their Amazon devices responded to the news report after TV News Anchor Jim Patton repeated the command Brooke had used, which included the wake word “Alexa.”

Alexa’s Privacy Risks

Another potential risk is the loss of privacy. All commands Alexa responds to are sent across the Internet and kept on Amazon’s servers. Those commands could potentially be subject to release to law enforcement under a court-ordered warrant or to hackers able to penetrate Amazon’s security.

As part of an investigation into the death of Victor Collins which began in November 2016, Bentonville police have said that there is “reason to believe that Amazon.com is in possession of records related to [their] investigation.”  (Agatha French, LA Times).

This case has raised the question whether courts will attempt to force Amazon to release information recorded by Alexa. According to French, Amazon has refused to release the data twice thus far. French’s article reports that according to Amazon, the company “will not release customer information without a valid and binding legal demand properly served.”

[cta_widget block=”cta-eds”]

According to Lee Tien, senior staff attorney at Electronic Frontier Foundation, “For a warrant to be valid, it has to establish probable cause and describe what they want in particularity. You’re getting into problems if you say you want everything. What struck me about this warrant was the lack of particularity. It seems wrong to say that just because there’s this device that’s always on. This constitutes probable cause to believe that relevant recordings exist. There’s no clear establishment that there was any communication using the trigger word. I’m going to assume that Amazon doesn’t think the warrant has established probable cause or has asked for more information than they’re entitled to.”

The bigger question is the question of legal precedent. When asked about that, Tien said he was concerned about the setting of a precedent despite a lack of “sufficient probable cause to establish there’s anything of interest.”

Mass Surveillance Risks

Finally, the risk of mass surveillance by governmental organizations may be of concern to some people. The Edward Snowden case first brought national attention to the existing mass surveillance efforts of our government. Which included cases of collecting much more information than was allowed by law at the time.

Even if Amazon were to refuse to turn over recordings made by Alexa, it is conceivable that a governmental organization could surreptitiously collect those recordings as they pass across the Internet without the user’s knowledge. They could also potentially use the API to create applications or services which perform collection tasks in addition to features of potential value to the user.

It is likely that more risks will be discovered in the future as the product matures and its usage increases. The take away is to be aware of the risks and take steps to guard your privacy. You can do this by disabling the voice purchasing feature or at least adding a “Voice purchasing Confirmation Code”.