Your
smart
speaker
is
designed
to
listen,
but
could
it
be
eavesdropping
too?
Ever
since
Amazon
came
under
fire
for
being
able
to
potentially
listen
in
on
people
through
its
Echo
smart
speakers,
and
even
transcribe
what
they
were
saying,
I
have
been
intrigued
by
the
idea
of
how
IoT
could
be
used
to
snoop
on
us,
unbeknown
to
the
victims.
Big
tech
companies
behind
Alexa-enabled
and
other
similar
devices
have
since
taken
steps
towards
making
them
more
privacy
focused,
but
I
recently
demonstrated
a
feature
that
you
should
be
aware
of.
Let’s
cut
right
to
the
chase.
Trouble
with
an
ex
I
was
recently
asked
by
a
friend
to
help
check
if
she
had
been
hacked,
because
she
could
not
work
out
how
her
ex-partner
knew
specific
information
about
her
life
and
even
private
conversations
she
had
had.
I
first
checked
her
phone
and
laptop
by
running
ESET’s
security
software,
and
couldn’t
see
any
malware
or
anything
untoward.
She
mentioned
that
it
was
if
her
conversations
were
being
listened
to
and
mentioned
some
of
what
she
had
only
said
to
others
had
been
relayed
back
verbatim.
This
is
when
I
checked
for
listening
bugs.
I
didn’t
discover
anything
that
shouldn’t
be
there.
However,
I
was
interested
in
the
family’s
Amazon
Echo
Dot
smart
speaker
and
asked
who
could
have
access
to
it.
She
told
me
that
her
ex-partner
had
set
the
device
up
two
years
previous,
when
they
were
together,
and
they
both
had
access
to
the
speaker
via
a
shared
account,
but
only
she
used
it
now.
As
she
hadn’t
changed
her
Amazon
password
–
or
any
other
account
passwords
–
since
her
breakup
with
her
partner,
this
was
a
good
place
to
start
investigating.
I
wondered
if
the
device
could
be
used
to
eavesdrop
remotely
via
the
app
by
anyone
with
access
to
the
account,
which
would
have
let
them
listen
in
to
her
conversations.
I
remembered
I
had
heard
it
was
possible,
but
I
wanted
to
test
myself
that
an
Alexa
device
could
be
used
as
a
covert
listening
device.
So
I
bought
an
Amazon
Echo
Dot
and
long
story
short,
my
gut
feeling
didn’t
fail
me.
The
privilege
problem
Some
smart
devices
can
be
taken
out
of
the
box
and
immediately
plugged
in
and
used
with
default
–
and
therefore
usually
insecure
–
settings.
Obviously
I
have
never
been
a
huge
fan
of
default
privacy
and
security
settings
on
the
majority
of
smart
(or
almost
any
other)
devices
even
after
Amazon
and
a
number
of
other
technology
giants
have
been
forced
to
improve
their
settings
in
order
to
better
protect
users
from
intrusive
practices
by
manufacturers
or
third
parties.
Now,
people
don’t
normally
realize
how
easily
the
devices
themselves
could
be
used
as
spying
tools
by
anyone
(more
precisely,
the
device’s
admin)
with
illicit
intent.
(Obviously
it’s
not
a
security
vulnerability
if
an
admin
can
enable
it
via
a
checkbox
–
take
note
of
Law
#6
in
Microsoft’s
Ten
Immutable
Laws
of
Security:
“A
computer
is
only
as
secure
as
the
administrator
is
trustworthy”.)
So,
I
set
up
my
Echo
Dot
with
a
unique
and
strong
password
and
enabled
two-factor
authentication
using
an
authenticator
app,
and
connected
it
to
my
phone.
I
was
also
able
to
connect
it
to
my
iPad
with
ease
and
I
was
relatively
happy
with
the
security,
I
then
went
to
“Devices”
in
the
app
and
selected
my
“Echo
Dot”
and
“Settings”,
then
enabled
“Communication”.
I
then
tapped
on
the
“Drop
In”
feature
to
enable
it.
Then
back
in
the
“Communicate”
tab,
all
I
had
to
do
was
select
“Drop
In”
and
select
my
Echo
Dot
and
I
was
able
to
listen
in
to
the
room
that
it
was
in.
Easy
as
pie.
I
even
logged
off
my
home
Wi-Fi
and
connected
via
4G
to
prove
I
could
easily
do
this
from
another
remote
location
too.
When
you
Drop
In
and
listen
in
to
a
room,
the
device
light
ring
displays
a
spinning
green
light
and
it
also
makes
a
small
ring
sound
to
make
those
in
the
room
aware
of
the
Drop
In.
I
was
unable
to
Drop
In
with
this
light
and
sound
turned
off,
but
an
unsuspecting
victim
might
not
hear
it
or
simply
think
nothing
of
it.
After
all,
these
devices
tend
to
make
lots
of
sounds
and
always
seem
to
have
coloured
light
rings
for
some
reasons.
I
also
decided
to
check
the
device
logs
via
my
app,
but
unfortunately
there
weren’t
any
logs
or
anything
to
suggest
I
had
“dropped
in”,
which
makes
forensic
evidence
more
difficult
in
such
a
situation.
Logs
in
Echo
Dot
devices
are
called
“Activity”,
but
there’s
no
way
to
record
the
use
of
the
Drop
In
feature.
The
spy
in
your
smart
speaker
Back
to
my
friend
now.
When
I
asked
her
if
there
was
a
chance
her
Echo
Dot
could
have
been
used
to
listen
in,
it
seemed
like
she
experienced
a
lightbulb
moment.
She
noted
that
her
Alexa
would
often
have
coloured
rings
spinning
and
she
assumed
the
sounds
were
to
do
with
her
self-claimed
“deluge
of
Amazon
purchases”
and
other
notifications.
She
claimed
that
she
simply
thought
that
her
Alexa
was
listening
for
keywords,
rather
than
allowing
anyone
with
her
password
to
listen
in
on
her.
She
immediately
felt
uneasy,
changed
her
password,
and
made
her
phone
the
only
device
pairable
with
her
Echo
Dot.
Her
device
has
not
made
any
strange
sounds
or
lit
up
unintentionally
since,
and
she
says
she
now
feels
far
safer.
Is
your
home
bugged?
There
are
lots
of
listening
devices
on
the
market,
but
those
hiding
in
plain
sight
(and
not
normally
thought
of
as
‘listening
bugs’)
are
often
the
most
commonly
used.
It
goes
without
saying
that
we
should
be
aware
of
their
capabilities
if
they
are
going
to
feature
heavily
in
our
homes.
As
a
result,
it
is
vital
that
people
follow
a
few
tips
when
using
smart
technology
to
remain
safe
and
secure:
-
Always
use
strong
and
unique
passwords -
Enable
two-factor
authentication -
Review
the
device’s
settings -
Only
connect
to
devices
that
you
own
access
to -
Do
thorough
account
maintenance
–
configure
user
permissions
and
disable
or
remove
accounts
if
they’re
not
needed -
Change
the
password
if
you
suspect
someone
has
access
to
the
account
who
shouldn’t -
Turn
off
the
device
or
disable
listening
mode
when
having
sensitive
conversations
iPhones
as
listening
devices
Lastly,
aside
from
the
perhaps
more
obvious
devices
like
smart
speakers,
did
you
know
that
Apple
AirPods
can
also
be
used
as
listening
devices?
Few
people
seem
to
be
aware
that
all
that
somebody
has
to
do
is
turn
on
an
accessibility
feature
called
Live
Listen
on
their
iPhone
and
with
AirPods
in
their
ears,
they
can
use
the
phone,
left
in
any
room,
as
a
listening
device.
Who
would
suspect
that
an
apparently
“forgotten”
phone
was
actually
a
deliberately
planted
“bug”?
Stay
safe!
About Author
