For the most part, suburban Maryland grandmother Pauline Cook just teased her Amazon Echo.
Before leaving for work in the morning, she might ask the Echo’s onboard AI, Alexa, for basic information: the weather, traffic updates.
But for the most part, her interaction with the smart home device—a Christmas gift to her husband—was limited to human-robot antagonism.
“Whenever I would come into the room, I would ask it crazy questions like ‘Why do you exist?’ or ‘Who are you?’ Those types of things,” she chuckles.
“Whatever crazy question I’d think of.”
On March 7, Cook was at work, where she manages SEO and social media for a nonprofit, when she saw the news about WikiLeaks’ Vault 7 release—the biggest leak of CIA documents in history. For Cook, the story was a big deal.
She had closely tracked the fallout surrounding WikiLeaks’ release of emails throughout the 2016 presidential election, but on top of that, the Vault 7 release concerned one of her favorite subjects.
“I’ve watched a lot of documentaries on things like the dark web, Tor, zero-day vulnerabilities … this is the type of stuff that interests me,” she says.
So, she wasn’t exactly surprised by what was found in this latest trove of documents: a startlingly vast cache of CIA cyberweapons, containing several hundred million lines of code, that were developed to hack into an array of common consumer web services, apps and devices.
Many of the cyberweapons were made possible by stockpiling the same kind of zero-day vulnerabilities—that is, holes in computer software that hackers can exploit quickly, with “zero days” before vendors are able to patch them—that Cook had learned about.
Others were made possible using Trojan horses: deceptive, malicious computer programs that dupe their victims into unwittingly disclosing private information or opening a backdoor to the perpetrator.
The most widely reported revelation was that the CIA had the capability to hack into iPhones and Android phones, taking control of the onboard microphones and cameras or intercepting messages and audio, using techniques that could preempt protective end-to-end encryption services like Signal, WhatsApp and Telegram.
One particular hack stuck out to Cook, though: a project the CIA code-named “Weeping Angel.” Like many of the project codenames that Vault 7 revealed—eight of which were named after Pokémon, such as “Dugtrio”—the Weeping Angel project was a callout to geek pop culture, and a particularly menacing one at that.
In Doctor Who, Weeping Angels are monsters that look like stone statues as long as you’re observing them. But as soon as you turn away, or even so much as blink, the Weeping Angel can move, feed off the energy of its victims and kill them.
It was a particularly fitting project name given the hack: an insidious exploit that allowed the CIA not only to listen to and record people through the web-connected voice control microphones in Samsung smart TVs, but to do so using a “fake-off mode” that could trick the consumer into thinking the TV was off even when, secretly, it was still on and listening.
“When I saw this, I decided that I was going to go home and see what Alexa had to say about it,” Cook says, since the Echo is essentially just a big microphone connected to the internet.
In a short video that would be retweeted thousands of times and rocket to the front page of Reddit, Cook, adopting the tone of an attorney, interrogates Alexa. “Alexa?” Cook asks, as the device’s iconic blue ring lights up to indicate that it’s listening, “would you lie to me?”
“I always try to tell the truth,” Alexa replies. “I’m not always right, but I would never intentionally lie to you or anyone else.”
“Alexa?” Cook continues, as the blue ring lights back up, “what is the CIA?”
“The United States Central Intelligence Agency—CIA,” Alexa responds.
“Alexa,” Cook says, “are you connected to the CIA?”
Rather than providing a response, or even the usual “Sorry, I don’t understand the question,” the Echo made a soft chiming noise and simply shut down.
“Alexa,” Cook tries, more firmly this time, as the ring lights back up. “Are you connected to the CIA?” Again, the chime, the blue light ring turning gray and silence.
They recently updated it so whenever you ask if it’s connected to the CIA, it will respond “I work for amazon not CIA”.
However if you ask if amazon works for the CIA it will go silent again. Some people say it goes silent when it doesn’t know a response to a question. Or maybe the governments are spying on us…
Amazon and the CIA have a cozy business arrangement for cloud computing services, to the tune of $600 million. Could there be reciprocal services for eavesdropping on consumers using Amazon’s Alexa?