Is your Amazon Echo always listening to you?
The world of the Internet of Things (IoT) devices is expanding rapidly, the most prominent product is the Amazon Echo and its smaller counterpart Echo Dot. Since its arrival two years ago it has received a lot of attention both from tech journalists as well as everyday users. When first purchased, the Amazon Echo and Echo Dot are limited in their functionality. Users can play music, set alarms, explain terms, manage the user´s calendar, etc. However, the user is not limited to this: the user can activate 'skills' as extensions, this adds more functions to the device through the Alexa App.
Tricks are for kids
There are now 15,000 'skills' available for activation on the device. The skills are voice control commands and once they are activated using the Alexa App, they are more or less sentences like: “Alexa, tell mytaxiservice to get me a cab” or “Alexa, tell lampproducer to turn on my bedroom light”. While mytaxiservice and lampproducer are only examples, there are a lot of offerings for similar services.
Syncing your life
Lighting up your home has become easy using the Amazon Echo, there are YouTube tutorials of individuals who demonstrate how to connect the Echo device together with other hardware like a PC card and a remote control to start up your computer just via voice control. Tuning of the device like this is not yet possible with Google Home since it only has 118 actions, which adds up to the normal functionality.
What’s all that storage for?
In contrast to other IoT devices, both Amazon Echo and Google Home do not save data on their devices, even though both Echo and the Echo Dot have large data storage capacities available. For example, version 2 of Dot has 4GB LPDDR3 memory built-in. However, Amazon states that it only uses this storage space for the firmware and data buffer. In the Echo, there is a 4GB Toshiba eMMC NAND flash storage chip inside. These two devices transfer all the voice recordings to Amazon´s data centre instead of saving them locally.
What's the issue with IoT?
Even though the recorded sound data is not saved on the device itself, it is still slightly worrying. If they are enabled and connected to the Internet, it is fair to assume these devices are always listening to what the users say in their home.
These devices respond when they hear certain ‘trigger words’. In case of Amazon Echo, it´s “Alexa”, for Google Home it's “O.K. Google”. But this is the issue; every word spoken after that trigger word is recorded and transferred to the provider´s data centres and servers. Since the recorded data is then kept ‘forever’ by Amazon, Google or others, it is important to ask what do these major tech companies do with that data.
The reason why these companies are gathering this data is simple; they want to find out information about their customers. In Amazon´s view, everybody is a potential future ‘subscription’ customer for their Prime offering.
This is why these companies have put so much money into this project and try to connect every part of ordinary life into their offerings. By having devices connected with Amazon Echo or Google Home, it is possible to survive without ever leaving the house. For an example a connected refrigerator can order missing items independently, lamps can order new light bulbs when the old ones are broken and much more. The objective is to offer the customer everything out of one platform. However, exactly how companies analyse your data often remains a secret.
Amazon Echo murder mystery
IoT devices do not just hold voice recordings from orders and commands. This was proven in a recent murder case investigation in the US earlier this year, which clearly showed that there is much more to be found on these servers. In the case, investigators demanded the Amazon Echo/Alexa recordings from a party with friends in Bentonville, Arkansas, where one of the guests was later found dead.
The homeowner is on trial for the murder of his friend and the prosecution demanded that Amazon hand over the voice recordings from the night on his Echo device in his home. According to the court records, Amazon turned over the recordings the same day they received the request. Later they contested this police request with a referral to the First Amendment of the US constitution, but since the defendant himself gave the permission to use the data this data security issue was quickly ended. Now the police are investigating the voice recordings, however, no information on the findings has been released to the public.
Future forensic impact
This case demonstrated that IoT devices will have a big impact on future computer forensic work. Today data on devices is physically available to the prosecution, public and company internal investigators. This includes but is not limited to computers, servers, smartphones or tablets, but also data stored in the cloud or external data centres, where Amazon is operating its Echo data mining. Since it is not easy to gain access to this data, in most cases data retrieval must be legally enforced.
The next steps
When the data is available for computer forensics specialists, then the work is the same as if it would be an ordinary case, after they have first made a 1:1 image of the original storage media; a hard disk drive, SSD, removable flash card, tape or any other storage media. Forensic specialists then analyse the information regarding the case and after this assessment is complete they then use specialised software tools to search through the data and find evidence that can be used for prosecution or a trial.
Remember, if you don't want your recordings from IoT devices to be stored, there is a way to delete them. Inside the Alexa App on your smartphone, there is an option to delete your voice requests one by one. If you would prefer to do a bulk delete you can do that by signing into your Amazon Account and checking your devices.
If you do want to keep your Home Assistant devices like Alexa or Google Home but also maintain your privacy for at least some of the time, both devices have mute buttons.
If you have any questions, thoughts or options on this topic. Tweet us @OntrackUKIE