Woman Says Her Amazon Device Recorded Private Conversation, Sent It Out to Random Contact

Gary Horcher, reporting for KIRO 7 News in Seattle:

But Danielle said two weeks ago their love for Alexa changed with an alarming phone call. “The person on the other line said, ‘unplug your Alexa devices right now,’” she said. “‘You’re being hacked.’”

That person was one of her husband’s employees, calling from Seattle.

“We unplugged all of them and he proceeded to tell us that he had received audio files of recordings from inside our house,” she said. “At first, my husband was, like, ‘No you didn’t!’ And the (recipient of the message) said ‘You sat there talking about hardwood floors.’ And we said, ‘Oh gosh, you really did hear us.’”

Danielle listened to the conversation when it was sent back to her, and she couldn’t believe someone 176 miles away heard it too.

It’s a bit maddening that they don’t say how this was sent. As an attachment in an email? Who was the email from? We don’t get to hear the recording, either.

Danielle says she unplugged all the devices, and she repeatedly called Amazon. She says an Alexa engineer investigated.

“They said ‘Our engineers went through your logs, and they saw exactly what you told us, they saw exactly what you said happened, and we’re sorry.’ He apologized like 15 times in a matter of 30 minutes and he said we really appreciate you bringing this to our attention, this is something we need to fix!”

But Danielle says the engineer did not provide specifics about why it happened, or if it’s a widespread issue.

This seems like a very strange bug path. Why would the Echo record anything, and why is there even the capability of sending a recording to a contact? You can’t make a recording and send it to a contact even if you want to with Alexa (as far as I know), so why is it even possible for it to happen inadvertently.

This confirms the worst fears of those skeptical about the privacy implications of these voice assistants.

Update: So it turns out Alexa can send a voice recording to a known contact. This must be the feature that went haywire in this incident.

Thursday, 24 May 2018