Amazon Alexa sends private convo to friend

[Debi]

Woman says her Amazon device recorded private conversation, sent it out to random contact

A Portland family contacted Amazon to investigate after they say a private conversation in their home was recorded by Amazon's Alexa -- the voice-controlled smart speaker -- and that the recorded audio was sent to the phone of a random person in Seattle, who was in the family’s contact list.

"My husband and I would joke and say I'd bet these devices are listening to what we're saying," said Danielle, who did not want us to use her last name.

Every room in her family home was wired with the Amazon devices to control her home's heat, lights and security system.

But Danielle said two weeks ago their love for Alexa changed with an alarming phone call. "The person on the other line said, 'unplug your Alexa devices right now,'" she said. "'You're being hacked.'"

That person was one of her husband's employees, calling from Seattle.

"We unplugged all of them and he proceeded to tell us that he had received audio files of recordings from inside our house," she said. "At first, my husband was, like, 'no you didn't!' And the (recipient of the message) said 'You sat there talking about hardwood floors.' And we said, 'oh gosh, you really did hear us.'"

Danielle listened to the conversation when it was sent back to her, and she couldn't believe someone 176 miles away heard it too.

"I felt invaded," she said. "A total privacy invasion. Immediately I said, 'I'm never plugging that device in again, because I can't trust it.'"

Danielle says she unplugged all the devices, and she repeatedly called Amazon. She says an Alexa engineer investigated.

"They said 'our engineers went through your logs, and they saw exactly what you told us, they saw exactly what you said happened, and we're sorry.' He apologized like 15 times in a matter of 30 minutes and he said we really appreciate you bringing this to our attention, this is something we need to fix!"

But Danielle says the engineer did not provide specifics about why it happened, or if it's a widespread issue.

"He told us that the device just guessed what we were saying," she said. Danielle said the device did not audibly advise her it was preparing to send the recording, something it’s programmed to do.

When KIRO 7 asked Amazon questions, they sent this response:

“Amazon takes privacy very seriously. We investigated what happened and determined this was an extremely rare occurrence. We are taking steps to avoid this from happening in the future."

Amazon offered to “de-provision” Danielle’s Alexa communications so she could keep using its Smart Home Features. But Danielle is hoping Amazon gives her a refund for her devices, which she said their representatives have been unwilling to do. She says she’s curious to find out if anyone else has experienced the same issue.

"A husband and wife in the privacy of their home have conversations that they're not expecting to be sent to someone (in) their address book," she said.

 

[Charleh]

Jeff Bozos didn’t get as rich as bill gates by playing by the rules. I wonder if the amazon shopping app has any security issues too

 

[Taliesin]

Privacy and security don't exist in the 21st century, and that's not ok. Unfortunately, so many people are so desensitized to privacy invasions that they think it's normal, and to be expected. I saw someone on a Linux website who said that the gov could spy on him all they like, because he has nothing to hide. I liked the response of someone else who analogized it to someone who doesn't care about freedom of speech just because they don't have anything to say, adding that it's deeply antisocial, and that rights are collective, and what one person may not value might have value to an entire population.

Unfortunately, we're under siege from all angles. Spectre/meltdown steals people's data, passwords, information, and they're indiscriminate of what operating system you run, whether it's Winblows, Mac OS, or Linux. Recent leaks to the public revealed that virtually any microprocessor manufactured in the 21st century has numerous backdoors and exploits designed into them.

Wanting privacy and security isn't paranoia, it's a well-understood human right, and you're better off keeping that old computer, so that you can use it as an offline workstation, and only go online when you need information.

 

[Charleh]

Privacy and security don't exist in the 21st century, and that's not ok. Unfortunately, so many people are so desensitized to privacy invasions that they think it's normal, and to be expected. I saw someone on a Linux website who said that the gov could spy on him all they like, because he has nothing to hide. I liked the response of someone else who analogized it to someone who doesn't care about freedom of speech just because they don't have anything to say, adding that it's deeply antisocial, and that rights are collective, and what one person may not value might have value to an entire population.

Unfortunately, we're under siege from all angles. Spectre/meltdown steals people's data, passwords, information, and they're indiscriminate of what operating system you run, whether it's Winblows, Mac OS, or Linux. Recent leaks to the public revealed that virtually any microprocessor manufactured in the 21st century has numerous backdoors and exploits designed into them.

Wanting privacy and security isn't paranoia, it's a well-understood human right, and you're better off keeping that old computer, so that you can use it as an offline workstation, and only go online when you need information.

The KGB was having issues with their telegraphs and other electronic communication methods getting compromised so they reverted back to the typewriter. I hope we don’t need to go that far.

 

[Taliesin]

The KGB was having issues with their telegraphs and other electronic communication methods getting compromised so they reverted back to the typewriter. I hope we don’t need to go that far.

I fear that it will get worse before it gets better. The only proper fix for something like this is to completely redesign entire architectures of microprocessors' microcode, a Herculean feat considering that every successive CPU has been based on the architectures of their predecessors, that is if it can be pulled off without rendering existing software incompatible with the new designs.

 

[Charleh]

I fear that it will get worse before it gets better. The only proper fix for something like this is to completely redesign entire architectures of microprocessors' microcode, a Herculean feat considering that every successive CPU has been based on the architectures of their predecessors, that is if it can be pulled off without rendering existing software incompatible with the new designs.

I know that basically every computer manufacturer is aware of meltdown and spectre but for some reason have not changed their technology to fix this. I think that’s intentional.

 

[Taliesin]

I know that basically every computer manufacturer is aware of meltdown and spectre but for some reason have not changed their technology to fix this. I think that’s intentional.

Because doing so could severely injure corporations financially. The likelihood of completely new architectures of CPUs being 100% compatible with all the existing software is minuscule. Doing so would require the entire world to totally give up every program that has ever been written, and get all new software. That would be the best way to eliminate the hardware-level threats, but it could bring the modern world to its knees in the meantime.

 

[Charleh]

Privacy and security don't exist in the 21st century, and that's not ok. Unfortunately, so many people are so desensitized to privacy invasions that they think it's normal, and to be expected. I saw someone on a Linux website who said that the gov could spy on him all they like, because he has nothing to hide. I liked the response of someone else who analogized it to someone who doesn't care about freedom of speech just because they don't have anything to say, adding that it's deeply antisocial, and that rights are collective, and what one person may not value might have value to an entire population.

Unfortunately, we're under siege from all angles. Spectre/meltdown steals people's data, passwords, information, and they're indiscriminate of what operating system you run, whether it's Winblows, Mac OS, or Linux. Recent leaks to the public revealed that virtually any microprocessor manufactured in the 21st century has numerous backdoors and exploits designed into them.

Wanting privacy and security isn't paranoia, it's a well-understood human right, and you're better off keeping that old computer, so that you can use it as an offline workstation, and only go online when you need information.

That idea is alright but many operating systems and programs are just gonna report beck to their respective servers the moment you go online.

So what you’d need is to always keep your computer offline when working on private information, then back it up on a portable hard drive and scrub the computer’s hard drive before going online.

In my opinion I don’t do anything that warrants that level of security and secrecy but if you do, just keep this tip in mind.

 

[Charleh]

Because doing so could severely injure corporations financially. The likelihood of completely new architectures of CPUs being 100% compatible with all the existing software is minuscule. Doing so would require the entire world to totally give up every program that has ever been written, and get all new software. That would be the best way to eliminate the hardware-level threats, but it could bring the modern world to its knees in the meantime.

Just slowly introduce this technology to the world. It’ll work it’s way up the ranks just like Ubuntu and OpenBSD.

 

[Taliesin]

That idea is alright but many operating systems and programs are just gonna report beck to their respective servers the moment you go online.

So what you’d need is to always keep your computer offline when working on private information, then back it up on a portable hard drive and scrub the computer’s hard drive before going online.

In my opinion I don’t do anything that warrants that level of security and secrecy but if you do, just keep this tip in mind.

We're fortunate that a lot of computers that are "old" by today's standards are still quite capable as far as processing power. What I meant was that for a lot of work, like graphic or video design, circuit board design, programming, etc, I've rarely had to go online. Old computers could be kept around and used offline, transferring needed downloads to them on flashdrives, or Near Field Communication (NFC) like Bluetooth, or infrared.

Obviously the more a person knows, the more things they can do to protect themselves. I personally don't think I'll use digital assistants, or whatever devices like Alexis and Siri are called, until I'm strong-armed into it by society like I was with cell phones, and I have very rigid computer habits. But most people will use them without realizing how much of a potential invasive threat they can be. I think there is a market here for a free open source software (FOSS) digital assistant, so that thousands of public eyes can be on the code, leaving little-to-no room for hidden, proprietary code that spies on you. And there very well could be; I have no interest in using one, so I haven't DuckDuckGoed to see if any exist.

I've played with the possibility of creating a customized Linux system that runs entirely off an optical disc. I made a slimmed-down installation of Debian for a desktop I might use as a router, which fits nicely on a mini CD (cuz come on, admit it, they have a coolness factor . It boots with isolinux. The advantage of this, is that the system itself will not suffer any permanent damage from malicious code (unless it melts the CPU). If something happens, I can simply restart.

This incident is a testament that privacy is a timeless and sacred right. I don't know what the attitude was of these people before this incident, but many people just scoff at the idea of potential invasion by marginalizing the topics of activity in their home, and this way they hope they'll convince themselves that nobody would "waste their time" tapping them. And then when they discover that their unimportant and boring conversations they had no regard for beforehand are recorded, they finally start to learn the value of privacy.

Spectre/meltdown is a completely different privacy problem, among an entire hive of them, but I just want to point out that while total security is impossible, there are reasonable things people can do to significantly increase their security. Such as using that old computer for most tasks that don't require going online, whatever it may be that normal people do :tonguewink:, using an open-source browser like Firefox or Chromium, and keeping it up-to-date, disabling the ability to configure your router over wifi, not giving guests your wifi password - instead, enable guest mode on your router and set the allowed number of guests to the minimum, etc.

Just slowly introduce this technology to the world. It’ll work it’s way up the ranks just like Ubuntu and OpenBSD.

I am not as knowledgeable on the inner architecture of newer intel cpus, since most of my assembly work is for the 8088, but I thought of something last night. This problem didn't always exist. This problem is the result of vulnerabilities that are present in the design of cpu micro-circuitry, but I think their vulnerabilities are largely because of more recent instructions that have been added. They wouldn't necessarily have to start from scratch.

Another possibility to mitigate the transition to post-spectre/meltdown computing you speak of, would be to introduce an abstraction layer, which would essentially emulate the CPUs that existing software was designed for, because they very well might not run (natively, at least) on the newer CPUs.