“I’m not a spy and only listen when you say the magic word.” This is Alexa’s answer when asked about possible spy functions of Amazon’s Echo Dot. And this accusation is automatically upheld as soon this gadget goes online in any apartment around the world. So, what about the security of Echo and Alexa? After all, the device now available in Europe, is equipped with seven high-performance microphones and is permanently connected via WiFi to servers in the USA. Our security experts examined the Echo Dot in a short test in our IoT-Labs.
7 microphones, always on
Possible listening features of Amazon Echo are an issue since the devices came to market in the USA in 2014. And provider Amazon since then confirms that there is no espionage through the Echo system. And it is a fact that smartphone and PC users with voice recognition services such as Siri, Cortana and Google Now have long been surrounded by devices with permanently activated microphones and server connections abroad. So in this sense Echo is no innovation.
The device has seven microphones with so called „Fernfeld Speach Recognition“. Fernfeld means that commands are also received when the sound source is further away. In the test this worked from one room to another and over distances up to 30 meters. If the device hears the words “Alexa”, “Echo”, “Amazon” or “Computer”, it activates for further commands. This can also be activated by pressing the action button on top of the device.
Freely programmable skills
In addition to voice commands, the Echo device can also communicate via WiFi and Bluetooth. This is when the Alexa app is used. With the app Echo can be enabled for so-called skills. These are applications that allow the device to respond to specific voice commands, for instance connecting to an online service to retrieve cocktail recipes, play a music, or place orders at a store. Skills can also be used to control other WiFi-connected devices, for example a Smart Home thermostat. Such skills can be created by third-party providers through the freely available Alexa Skills Kit (ASK).
To what extent Amazon checks third party Skills for security is not part of this test. But it should be pointed out, that while revealing the Alexa app the testers saw some skills providing a privacy statement while others did not. As our privacy experts pointed out, it clearly is Amazons duty, to examine and guarantee the security of the offered skills, just as other vendors in their app stores, too. Otherwise, there is a risk that attackers will be able to take over control of Echo driven Smart Homes via malware infected skills.
Well encrypted communication
In this Quick-Check Amazon Echo Dot showed no weaknesses or easy to use security leaks. In the IoT laboratory, the device convinced the testers with its well-secured communication of all tested connections. This included both the connection between the Echo Dot and the Alexa app, as well as various established online connections. For the online check, the experts observed quite a lot of data exchange with more than a dozen domains already in the basic setting of the device.
Good: For communication Echo always used the TLS 1.2 encryption protocol. “Thus, all connections of the Amazon Echo Dot were adequately secured against simple man-in-the-middle attacks,” explains Eric Clausing, IoT security expert from AV-TEST: “Strong encryption was always used to obtain firmware updates or other software updates. “
The transmission of system status information was also encrypted. For this reason, it is not possible to fully prove that Amazon’s Echo Dot sends data received via the microphones really only after activation by a keyword. So much can be said at least: a steady stream of network traffic was observed, regardless of whether or not it was spoken in the test room. The encrypted data transferred, however, did not allow conclusions about the type and content of the data.
Almost no gaps
The Alexa app, tested in version 126.96.36.199, is accurately programmed and showed no obvious weaknesses in our quick check. The app also communicates encrypted via TLS 1.2 and the testers also certify here: all connections are secured against simple man-in-the-middle attacks. If data input is necessary on the part of the user, this data is stored securely by the app. When checking the app, no sensitive data was stored locally outside the protected storage area.
In an additional security check, our experts found theoretical potential for improvement: With an installed root certificate, they performed a man-in-the-middle attack and stole login credentials of the Alexa account. Even if the login attempt itself failed in this attack, the account data would still be in the hands of the attacker. Practically, however, such an attack is difficult to carry out and is therefore not regarded as a real gap.
Reason for criticism, but not relevant to the evaluation of security in this test: In default settings the app attempts to store the WiFi password in the Amazon cloud. AV-TEST‘s privacy experts do not recommend to store passwords of any kind in the cloud without need.
Remarks to Echo Dot and privacy concerns
The AV-TEST privacy experts have some comments on the use of the Echo dot in general, even if they do not shake the results of this passed quick test.
When the app starts, the information is displayed that Amazon processes audio files and other data and saves them in the cloud. It is also announced that “information is exchanged with third parties”. However, what kind of information is involved is left open and is not displayed by the Alexa app. And even the privacy statement gives no information about that topic.
There is also criticism for the fact that the privacy statement linked to the app does not specifically refer to the product Echo Dot but rather to the data treatment of the shopping platform Amazon in general. Thus, the privacy statements considerations do not mention the significant biometric characteristics of voice recording. However, comparable to a fingerprint, Amazon receives data that allows the identification of a person with no doubt. Beyond spoken content the voice can also give more information about the speaker.
According to the data privacy statement, it can be assumed that Amazon handles voice recordings in the same way as all other collected customer data. This means that they can be used quite freely and shared with third parties. Whoever sets up the device at home should be clear about this. According to current data protection laws, visitors should also be informed about possible recordings by Alexa.
Amazon Echo Dot and its app Alexa convinced in AV-TEST’s short review with secure encryption and secure storage of the specified user data. Neither the app nor the device were vulnerable to man-in-the-middle attacks. Thus, Echo Dot and the Alexa App complete the AV-TEST trial with the “Secure” testimony and receive therefore the three-star logo.
AV-TEST points out weaknesses in the case of privacy, which do not affect the results of this security test. Here, Amazon should improve. In addition, Amazon must guarantee the security of the optional third-party Skills. With malicious applications, criminals also might get access to foreign houses through Amazon’s Echo Dot.
Did you notice any trends in the quantity of encrypted packets both when you were talking to her and when you were not?
This will be subject of further analysis. We have seen a steady stream of network traffic, no matter whether we were talking or not. It looks like device telemetry is sent all the time.
Any plans for testing google home or/and The Echo dot 2?
It is currently not on our list, but we will add it now. Thanks for the hint!
Pingback: OK, Google Home. What about privacy? – AV-TEST Internet of Things Security Testing Blog
the question is whats really deleted if users delete the audio recordings via the amazon website.
only deleted the view of the files for the user or really deleted….