*update 12/6/17 – So it turns out the bug occurs when you pair your Dot to an external speaker. It forces it to slip into pairing mode for no reason, although it may have been corrected with one of the updates between April and now. I’m still working on recreating the issue with the new update and will keep you posted if it happens again.
If you’ve read my blog before, you know I have an Echo Dot, which I do somewhat enjoy playing with
Or at least I did until yesterday morning…
That’s when I learned of a fatal security flaw that made me unplug Alexa forever. The problem, which has been discussed on Reddit several times last December, is one I didn’t notice until I moved from a house into an apartment.
Despite using a secured, unbroadcasted WiFi network with a VPN, hardware firewall, and MAC filter, one of my neighbors discovered my Echo Dot in their bluetooth settings and was able to pair an iPhone to it without any interaction on my end. Amazon compromised my network.
I was sitting on my balcony smoking a cigarette and watering the plants when I heard Alexa unprovoked and out of nowhere say “Paired to Laptop iPhone.” As soon as I heard this, I was alarmed as I don’t have an iPhone. I immediately ran inside and unplugged the Dot.
Having reviewed a ton of smarthome tech, I have a ton of bluetooth devices in my house – speakers, headphones, keyboards, lights, mice, smartwatches, and other input devices. Typically with these devices you need to press (and hold for a few seconds) a button to enter it into pairing mode.
But not the Echo Dot. Amazon apparently lets anyone connect to the Echo Dot and has no regard for how much of a security vulnerability this really is. All of my WiFi security was compromised the instant I plugged the Dot in and connected it because it’s designed to store my WiFi information. If the neighbor who connected had downloaded the Alexa program (which I know I would’ve as soon as I realized I could connect to a neighbor’s device), they could’ve accessed a lot of information.
At a bare minimum, the person connecting could play music in my home, something I’ve not encountered with any of my other bluetooth devices. Since it’s a two-way speaker, they could also listen to everything going on in my home. How much more access they could get really depends on their motivation and skill level. Since my immediate neighbors are either retirees or families with kids, I have to assume it’s the kids, and they’ll certainly be curious enough to explore once they get in.
There was no button I had to press or hold to make my Dot discoverable. There was no interaction from me in the Alexa app. It simply allowed a complete stranger to access it.
And since nobody else is talking about it outside Reddit, I’m going to start the discussion.
Amazon – this is a huge fail, and it’s absolutely unacceptable to happen on a device that’s been on the market for 6 months now. This is a MAJOR security flaw and a MAJOR privacy issue. It’s also one I don’t experience from any of my other devices, whether made by a huge conglomerate or a small startup. It’s completely unacceptable to come from a company as large as Amazon.
This issues needs to be fixed – immediately, and I’m appalled that I even had to deal with it. I already had trepidation about allowing Alexa into my house, and I now feel like she brought with her a disgusting STD.
All my efforts to secure my Internet were destroyed the instant I connected my Echo Dot to it, and I’ve never regretted owning a piece of tech more.
RIP, Alexa and Echo…you are no longer welcome in my home…