The privacy nightmare of people being able to listen in to any of your Alexa-enabled devices is all too real. Could it happen to you?
Ever since Amazon Alexa debuted and Echo devices proliferated in our homes, people have feared that they could listen to their private conversations. According to research by Richard “Dick” Morrell, white hat security hacker and founder and former CTO/Chairman of security company SmoothWall, they were right to be concerned.
He says Alexa-enabled devices — all half a billion of them — can indeed be used to spy on you in some circumstances.
Specifically, an Amazon Fire 7 Kids tablet on your network can be used to pry open the rest of your Alexa-enabled devices, including the Amazon Echo Show in your kitchen, the Ring video doorbell at your front door, the Echo Dot in your bedroom, and the Sonos Connect in your living room.
How can this happen? Simple. Alexa has an optional drop-in feature that enables you to listen in on other Alexa devices on your network. Amazon intended this to be used as a home intercom system, but it can be abused.
In particular, Amazon Fire 7 Kids tablets have two levels of access. One is for its target audience: kids. The other is for adults to set parental controls. Otherwise, they’re full members of your local Alexa network
As Morrell explained, “They look innocuous in their rubber bumper case, but people don’t realize that it is just an adult tablet with a kid’s user interface.” That means “you can still get full admin rights,” including the ability to drop-in on all of the other devices registered to you.
Morrell’s story
In Morrell’s case, he says an Amazon Fire 7 Kids tablet was been used to turn his Echo gadgets in his house into listening devices.
Morell, a former Gartner CTO and Red Hat Lead Security Evangelist, knows security like the back of his hand. When he found himself the target of a sophisticated stalking attack via an Amazon Fire 7 Kids tablet that he didn’t know was still connected to his account, he was shocked. Someone was listening in to him and looked into his activities and records for approximately two years.
This came even after he changed his Amazon account, refactored his two-factor authentication, and used a secure password generator to create a complex password. He assumed he was safe. He wasn’t. Because the adult account on the Amazon Fire 7 Kids tablet was his, this gave the person who had the tablet full access to his Amazon accounts and data.
Further, when he checked on his Amazon account portal, he could not see the two Amazon Fire 7 Kids tablets registered to his account in the Manage Your Content and Devices page (MYCD). Here, you’re supposed to find your Fire tablets, Echo devices, and other Alexa API-enabled devices. But the two tablets were not listed. Had they appeared, he would have deregistered them. Morrell felt safe from unauthorized snooping.
He wasn’t. The Amazon Fire 7 Kids tablet acted as a trusted software token — a skeleton key to his Amazon records and devices. With it, this person could obtain access not just to his Alexa devices, but to his Alexa Auto and the Alexa instance on his Android and Apple phones as well.
Amazon replied that the company has been unable to discern how this could have happened, but it is looking into the issue. It said, “We understand the devices in question were deregistered in February 2022 and, therefore, would not have shown up on MYCD after that date.”
The company added that if you have turned drop-in on and want to switch it off, you can turn it off for your entire household by following four simple steps: Tap Communicate in the Alexa app, Tap Contacts, Tap My Communication Settings, and Turn off Drop In.
Part of the problem is that while Alexa devices will alert you when they’ve been dropped-in on, you may not realize that’s what it’s telling you. For example, I get alert yellow lights on my Echo Dot when I get a weather notification. It looks similar to the green light of a drop-in, and it would be easy to mix up the two if I needed to pay attention.
Besides listening in to you in real-time, Amazon keeps more of your records — and those of your kids — than all but the most paranoid privacy-concerned people ever dreamed of. The audio records are kept as five-second audio WAV files. These could be listened to as well by someone with this kind of access.
But, there was far more. Morrell said, besides saving the audio, since the Kids tablets were trusted devices, the attacker could have accessed all the data Amazon was capturing.
Morrell added, “When I put a request in for all of my data, I would expect to receive 20 or 30 folders of data, 25 gigabytes of data, right? But what I actually got was several thousand folders of data where they give you absolutely everything down to a level where if you’re a software developer, it’s manna from heaven.”
n his case, Morrell found full records going all the way back to 2013. Every single transaction, keystroke, button press, and API function of every Alexa-enabled device was recorded. That also included every word his Echo devices heard, and every film, TV program, Kindle book, purchase, and item he had searched for.
Morrell also found this data included all his photos that were automatically stored in Amazon’s free photo service. Since he deposited bank checks online by snapping photos, those could have also been seen. In addition, his Google contacts were open because he has Alexa on his Android phone. This also meant his phone call and texting data were available. Finally, his email was vulnerable as well because he used an Amazon email account. The attacker could have seen all of that because, Morrell explained, “It copies all your credentials to the cloud, and the tablets were acting as trusted secure devices just like, say, a Yubikey.”
On the positive side, there is no password or credential security risk. That user data is safe at an account level. The attack can only be made when a tablet is in the hands of a malicious or snoopy user who wants a single pane window into the Amazon life history of the target user.
Amazon’s recent privacy troubles
Morell made these discoveries before Amazon agreed to more than $30 million in fines on May 31st to settle alleged privacy violations involving Alexa and its Ring doorbell camera. The FTC claimed Amazon violated privacy laws by keeping recordings of children’s conversations with its Alexa, and in another suit that its employees have monitored customers’ Ring camera recordings without their consent.
Specifically, the FTC claimed, “Alexa’s default settings still save children’s (and adults’) voice recordings and transcripts forever, even when a child no longer uses his Alexa profile and it has been inactive for years.” As a result, Amazon has retained the personal information of thousands of children who are not even using their Alexa accounts, in violation of the Children’s Online Privacy Protection Rule (COPPA).
In addition, “Amazon also failed for a significant period of time to honor parents’ requests that it delete their children’s voice recordings by continuing to retain the transcripts of those recordings and failing to disclose that it was doing so.”
While Amazon disagrees that it did anything wrong in this case, the company has reached a settlement with the U.S. Department of Justice (DoJ) regarding these allegations. The data collected on the Kids’ tablets have also been retained, including, any voice recordings made via them.
Amazon Fire tablet security concerns
All Fire tablets, including the Kids versions, use an ancient Android system. The latest Fire OS 7 version is based on Android 9 Pie (API level 28). The latest version of Android is Android 13.
Pie was released almost five years ago. That’s an eternity in technology years. It’s no longer supported. Since Android is backward compatible by design, you can still run newer applications on it, or Fire OS, but security at a deep level is another matter entirely.
Nevertheless, Morrell said, “The generation I bought my children in 2018 will be supported until 2025. I don’t know of any other Android device that receives updates seven or eight years after the device was bought.” In his opinion, the new updates they’ve been receiving must be user interface updates, not security patches.
That said, while Amazon officially hasn’t commented on these issues, sources close to Amazon report that Amazon has modified the Amazon Alexa service provisioning process starting in mid-May. It now requires a Kid’s tablet to authenticate during setup using the master account. This immediately locks down any new tablets joining the subscription service. But, it does not prevent existing older tablets from being used for nefarious means should an abuser have local physical access and a credential that has been cached locally.
Amazon has also changed its Amazon Photo service so that users must authenticate to the master account. This is done with an Amazon authentication server API call. This makes it more difficult for unauthorized users to look in on your private photos.
What should you do?
Morrell suggests: “If you are worried about these issues, you should treat your Amazon account as compromised. Sign out of all devices using that facility on the Amazon Alexa web portal.”
You can also use the Alexa smartphone app to do this. You may be better off using the app since Amazon is reducing the website’s support of Amazon devices and Alexa features. For example, the website lists only four of my Alexa devices, while the app lists ten.
Either way, once you’ve signed out, you’ll be logged out of all your devices, such as Echos, Fire tablets, smart plugs and bulbs, Ring devices, and so on. Additionally, you’ll be logged out of any live sessions you have with Audible, Kindle e-book readers, and smart TV using Amazon Prime Video.
While you’re at it, you can remove devices and services you’re no longer using with the deregister command. For example, I found an antique Kindle Fire from 2011 registered that I have yet to use this decade.
According to sources, Amazon is working hard to fix the inherent security problems. According to Morrell, there has been an “immediate call to arms of Amazon’s device security team in the U.S. and Amazon Group Legal that steps were taken at the highest level to deliver changes. That speed of response may just have prevented many other families, children, and vulnerable adults from being put at risk. Amazon is to be applauded for its professionalism and its ability to engage staff, at speed, to find engineering solutions to stamp out abuse.”
But you still need to take care of your own security.
As Morrell said, “If it can happen to the guy who wrote the security book, it can happen to any of us.” More at home at finding bugs in Tesla or the London Stock Exchange, Morrell never thought he would become the target or the story.
In other words, Morrell concluded, “The golden rule here is, if you think you’re vulnerable or at risk, take steps now. Not later.”
As for Amazon, the company says, “We care deeply about the safety of our community, and abuse of any kind is unacceptable. We’ve built our devices and services with multiple layers of security to help protect our customers and their information. We have been working with this individual directly to understand and address concerns they have with their account. The Alexa Drop-in feature is optional, requires customers to explicitly give a contact permission to drop in on their devices, and plays an audible tone before a drop-in begins.”