Amazon’s Echo “Alexa” Has Become Part of Your Law Practice and Your Family—You Just Don’t Know It
The Bencher—January/February 2018
By Richard K. Herrmann, Esquire
A number of books and movies have depicted a time when computers or robots will take over our lives and rule the world. We have reached the point where our electronic devices have become more sophisticated and are blurring the lines between our private lives and our practice and we are not aware of it.
Every day we make the conscious decision to comingle our private lives with work. I can count on one hand the number of lawyers I know who carry two cell phones, one for work and a personal phone. Most lawyers carry one device that belongs either to them or their firm. If owned by the firm, personal information is stored on the phone such as contacts and websites. If the phone belongs to the individual and its being used for work, the information is no less comingled.
Many of us choose to manage our computers at home the same way. We have our own laptops or all-in-one computers for our family and we connect to the office or manage our work email from the same device (hopefully with a separate user password). Consider the Amazon Echo or Google Home devices—are they any different? They offer home control features and interesting efficiencies by being connected to the internet.
Many are not aware that the Amazon Echo, “Alexa” is moving into the social media space in a very interesting way. We can now use it as a telephone and talk to anyone we know who also has an Echo by simply telling Alexa to make the call. More interestingly, a disturbing new feature has been added, called “Drop In”, which opens the “virtual door” of your house to any Alexa user to whom you knowingly (or unknowingly) grant privileges. This means if you give a person Drop In rights, they can simply join you in your family room through Alexa and you don’t have to do a thing. Of course, Alexa announces they are dropping in, so that, if you happen to be in the room at the time, you know it. However, if you are otherwise occupied in another part of the house and return to the family room, you have no clue someone has joined you unless you notice the yellow ring rotating on the top of Alexa.
What does this have to do with comingling work and home, you might ask? In order to take advantage of these features, you may not have realized you needed to give Alexa access to your contact list on the mobile device containing the Alexa app. Alexa now has your entire contact list and she is cross referencing it with everyone on it to see who also has an Echo. Now when you look at the contacts in your Alexa app you can see who on your list has an Echo and you show up on their list as well.
More troubling is the thought that Alexa is listening for her name to be mentioned so she can react, which means she is always listening. In all the information I have read, Amazon reports the Echo is not recording anything until the word Alexa is heard or misheard by the device. We are told the device cannot be hacked to clandestinely force the recording. That kind of tampering requires some physical rewiring. A tech security company has reported on its success in doing just that.
“Recent research from MWR has shown that 2016 models of the Echo are vulnerable to a physical attack that allows an attacker to gain access to the device’s Linux operating system and install malware without leaving physical evidence of tampering. Such malware can grant attackers persistent remote access to the device, steal customer authentication tokens, and enable them to stream live microphone audio to remote services without altering the functionality of the device.” https://www.mwrinfosecurity.com/our-thinking/when-the-music-stops/
Now you may be thinking this is interesting but not important since no one is going to break into your home or office and tamper with your Echo. This may be true, but in preparing for this article, I took a detour to Ebay, which listed for sale 10,936 Amazon Echo devices. Just think of the creative hacker who rewires and installs malware onto an Echo for resale on eBay. Not only will he make a fair return on his initial investment, but he will also have unlimited access to everything you say in the immediate area and to your entire network.
The moral of this month’s column is, if you have an Amazon Echo purchased on eBay, just consider it as another member of your family, one with access to your bank accounts and credit cards—and those little family secrets that no one else knows.
Richard K. Herrmann, Esquire, is a partner in the firm of Morris James in Wilmington, Delaware. He is a Master in the Richard K. Herrmann Technology AIC.
© 2018 Richard K. Herrmann, Esquire. This article was originally published in the January/February 2018 issue of The Bencher, a bi-monthly publication of the American Inns of Court. This article, in full or in part, may not be copied, reprinted, distributed, or stored electronically in any form without the written consent of the American Inns of Court.