"Alexa, Is My Information Safe?" Uncovering Privacy Vulnerabilities of the Amazon Echo via Encrypted Network Traffic Analysis

Abstract

The Amazon Echo, also known as Alexa, entered the market in 2014 and has sub- sequently become a mainstay on people’s countertops and kitchen tables. Tens of millions of devices have been sold worldwide, yet relatively little is known about their security. A variety of smart devices can be connected to the Echo, enabling the con- struction of smart homes where users can control their lights, unlock their doors, and change the temperature, etc., by giving simple commands to Alexa. As the Amazon Echo becomes more popular, it is essential that users understand if their privacy or security is at risk. In this project, encrypted network traffic of the Amazon Echo was recorded while the Echo was in use and TCP packets were collected and parsed into vectors based on the accumulated size of the packets sent during a specific time interval. Three different machine learning algorithms were used to classify different audio inputs and an attempt was made to identify the most important characteristics of the audio inputs used by the classification models. The results showed that the classification models could tell inputs of different lengths apart with high accuracy, but the accuracy decreased when more audio inputs were added to the classification. Furthermore, the different classifications performed indicated that the length of the inputs was highly important when it came to distinguishing between different audio inputs. The same audio input spoken by two different voices was found to be indis- tinguishable from each other by the classification models. The results of this project indicate a potential privacy vulnerability where an adversary could obtain informa- tion about what questions or commands an Amazon Echo user has issued to his or her device. This vulnerability could be eliminated by Amazon padding the traffic sent and received by the Echo. This issue should be addressed and resolved for people to feel safe when purchasing and interacting with the Amazon Echo, and to ensure the development of a more secure network of smart devices.