large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Amazon Echo vulnerability allowed hackers to turn Alexa into a spy

A vulnerability in Amazon’s voice assistant Alexa allowed hackers to turn the digital assistant into a spy, researchers say.

Security experts at Checkmarx made it their mission to corrupt the virtual helper, and succeeded. They managed to get it to listen to and record users for extended periods of time, and send a transcription of their conversations across to a hacker.

Related: Google Home vs Amazon Echo

Though Alexa is technically always-listening, it’s only supposed to spring into action and start recording users and analysing their speech after they call out its name. Furthermore, those recordings are supposed to be short − long enough to capture a request and nothing more − in order to protect users’ privacy.

“First, they needed to find a way to keep the Alexa recording session alive after the user received a response from the benign part of the skill, and do so without providing any audial indication to disclose that the device was still listening,” Checkmarx wrote in a blog post.

“This was not completely straightforward, given the Echo device needs to be prompted by users between cycles, otherwise the session ends after each response to protect users’ privacy.”

It added: “Second, they needed to find a way to accurately transcribe the voice received by the skill application. Skills perform well when they are configured to accept a specific sentence format with placeholders (slots) for closed lists of values, such as colors, places or movie names (e.g. What is the weather in {City}?).

“Since they didn’t want to limit ourselves to specific conversations, we set out to find a way for the Echo to accept any text.”

However, as the video above shows, they didn’t manage to find a way to switch off the Echo’s blue light ring, which indicates that Alexa is listening. It’s a big giveaway that something strange is going on.

Still, it’s a concerning exploit, and Checkmarx says it worked with Amazon to prevent it from being used maliciously. The company says Amazon responded by introducing three new protective measures:

  • Setting specific criteria to identify (and reject if necessary) eavesdropping skills during certification
  • Detecting empty-reprompts and taking appropriate actions
  • Detecting longer-than-usual sessions and taking appropriate actions

How do you feel about digital assistants like Alexa and Google Assistant? Share your thoughts (and fears) with us @TrustedReviews.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.