Over the past year, several clients have asked me 'how exactly does the Amazon Echo work'? More specifically, “is the Echo recording everything it hears, all the time?” This was a really great question. With millions of consumers purchasing these devices, and bringing them into their homes, workplaces - it could be a privacy nightmare. In case you're not familiar with how the Echo works, here's a summary of what it is and what it does. I’ll spare you from all the details since this topic has been well covered.

The Amazon Echo has a built-in feature called "Alexa" which operates much like 'Siri' for the iPhone or 'Cortana' for Windows. To use the device, you simply say the wake word "Alexa", and then state your command. For example: 'Alexa, play music', or 'Alexa, what is the weather today?'.  Once a command is given, it is sent instantaneously to Amazon web servers, processed for voice recognition, and the resulting action sent back to the Echo device in your home or business. Simple enough, right?

For the service to function properly, the Echo device is always listening for the wake word, “Alexa”. That means 24 hours a day, the Echo is listening to everything within range of its highly sensitive microphones. Depending where exactly the device is placed, this may be of concern. According to Amazon, the Echo service only records the actual commands given to it. Per Amazon, this is to enhance the effectiveness of their service and the quality of voice recognition. While I wasn’t thrilled Amazon was recording the commands, it does makes sense. From a technical perspective, this is reasonable considering voice recognition software utilizes historical data to build upon accuracy.

This explanation might have been enough for most consumers, but being a cybersecurity consultant, I needed something more definitive, and more technical. So I did what any cybersecurity consultant would do, I built a mini-lab to validate Amazon's assertions and statements.

Testing Scenario

First off, the lab scenario. I purchased an Amazon Echo Dot and placed it within an isolated network. This simply means that no other network devices were part of the network, which could inadvertently skew my results. The Amazon Echo was wirelessly connected to a Ruckus Access Point, which was then plugged into an Enterprise HP 2920 managed switch. From there, the HP switch was uplinked to a SonicWall NSA series firewall. Both the firewall, switch and access point had all filtering and packet-inspection features disabled. Finally, within the HP switch, I performed what is called 'port-mirroring', to monitor all network traffic on my laptop via specialized software called Wireshark. If all of that just confused you, it simply means I now had the means to isolate and monitor the data coming from the Amazon Echo.

Test 1

After the Echo dot synced with Amazon web services, I just allowed it to sit, completely unused. I didn’t issue any commands. During this period of time, I captured the data originating from the Echo. The results? Nothing much to look at. Just lots of innocuous, boring information. While some data was encrypted, the payload (amount of information being sent to Amazon) was minimal. Other than randomly checking-in with Amazon web servers, not much was going on. I allowed this to go on for 5 days, all the while having numerous verbal conversations within five feet of the Echo device, but never issuing the 'wake command'.

Test 2

Now having understood the results from test 1, I decided it was time to start using the Echo. I said the command: 'Alexa, what is the weather?' Once this command was issued - wow! The amount of data and overall network traffic increased substantially. I was now seeing expected network protocols and relevant payload sizes. As with the previous test, I allowed this to go on for 5 days, giving the Echo commands as often as I could think about it. Whenever a command was given, expected results were observed within my software. The best analogy I can think of is listening to boring elevator music, and then all of a sudden listening to Heavy Metal with the volume on high. The difference in tests was unquestionable, measurable, and repeatable.

For the following two days, I bounced back and forth from test 1 and test 2, repeating each successfully several times per day. With each test, there was no variation in expected results.

Conclusion

After comparing the quantifiable baselines presented with each scenario, it's a safe bet that the Amazon Echo is, indeed, not recording everything it hears within range of its microphones, rather only the commands directly issued to it. These results were compelling enough that I left my device plugged in. For those clients who were concerned, my advice is to rest easy. For now.

Now, this isn't to say these results can't change. All that separates devices like the Echo from recording everything it hears vs. just the commands issued to it, is software programming. Make no mistake, the Amazon Echo only recording commands is a manufacturer choice, not a technical limitation. I also reject the notion that 'Amazon cannot possibly record everything - it's too much data'. We've heard this argument too many times over the past two decades and every time it's been utterly shattered. As internet speeds increase, compression technologies improve, and data storage mediums become cheaper by the day - it is possible.

For those desiring a little more control, it should be noted that you can delete your Echo voice recordings. This can be done via the Alexa app on your smartphone. You can also mute the microphones on the Echo device, but this also impedes the convenience.

The bigger question we face as consumers and citizens is, “do we continue to tolerate the progressive marriage of technology and convenience, at the expense of privacy?” In the moment, we tend to have very strong beliefs and opinions. But in practice, are we really ready to give up everything such technologies have afforded us?

Have a device you would like us to test? Let us know by contacting us here.


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.

Author: Brian Horton, CEO | CISSP, GCED