The bug does not allow the recordings to be passed on to hackers, but they would remain with Amazon itself, the company said, as quoted by The Telegraph.

Echo, a smart speaker introduced by Amazon at the end of 2014, connects to voice-controlled personal assistant service Alexa. The device can set alarms, provide weather or traffic reports, make to-do lists, stream podcasts, and play audiobooks. Echo is also designed to control several smart devices acting as a home automation hub.

The smart device usually listens in order to wake up when it hears the word ‘Alexa.’ Then the user may send the speaker a command, like “Alexa, what’s the weather today?” or “Alexa, play jazz.” The user’s interaction with the speaker is recorded to improve the service. However, once  the command is finished, Alexa should stop recording.

The speaker’s skills could be further developed and allow Alexa to listen to the user’s surroundings long after it should have switched itself off, according to the Checkmarx researchers, as cited by the media. Then, the device may automatically transcribe what it hears for a hacker.

The nature of the bug lies in Alexa’s inability to hear a command correctly all the time, with the Echo forced to ask to repeat it again. This ‘re-prompt’ feature could reportedly be exploited and be programmed to carry on listening, while muting Alexa’s responses, according to the researchers.

“For the Echo listening is key. However, with this device’s rise in popularity, one of today’s biggest fears in connection to such devices is privacy,” Checkmarx told the media. “Especially, when it comes to a user’s fear of being unknowingly recorded.”

Related:

TURNING AN ECHO INTO A SPY DEVICE ONLY TOOK SOME CLEVER CODING [wired.com]