Skip to main content

Amazon has fixed a bug that allowed hackers to listen in on Alexa devices

Image used with permission by copyright holder

One of the most convenient things about Amazon’s Echo smart speaker is that Alexa is always ready to listen to your commands. However, a team from the Checkmarx, a security testing firm, wanted to see if that always-on feature could turn the gadget into a hacking device — and it turns out the answer was yes.

Checkmarx was able to create a skill that allowed hackers to listen in on Echo devices and their users’ conversations. Amazon fixed the problem earlier this month, but the incident serves as a cautionary tale as our homes become more connected and voice assistant speakers become more common.

Here’s how Checkmarx did it: Ordinarily, Alexa stops listening after it carries out your command and doesn’t start again until you say the “Alexa” wake word. However, the researchers figured out that hackers could take advantage of Alexa’s “re-prompt” feature. If Alexa doesn’t understand what you say the first time, she lets you know that and keeps listening until you repeat yourself.

Checkmarx’s researchers found it would be possible for hackers to develop an Alexa skill that made the virtual assistant continue to listen despite initially understanding a command. They were also able to mute the follow-up Alexa gives, when she asks users to repeat a prompt, thereby making the speaker stay silent but continue to listen. The next part of the Checkmarx hack involved orchestrating a way for Alexa not only to keep listening without people realizing it, but also to transcribe what she heard. Amazon’s servers store the audio content of people when they are speaking to Alexa.

Usually, developers who make skills get transcriptions of those conversations as long as spoken words are in the context of the skill. In this case, Checkmarx’s team made the skill record any word that was part of Alexa’s built-in dictionary.

Users have plenty of security considerations to worry about when it comes to cloud stored-data. With that in mind, Checkmarx’s researchers wanted to ensure their findings held true in real life. They created a seemingly innocent calculator skill that made Alexa keep listening for over a minute until someone from Checkmarx told it to stop. People in the room talked as the skill kept running. They found that, sure enough, the dialogue got captured in a word-for-word transcript, effectively giving a person the ability to “eavesdrop” by reading the text.

Checkmarx reached out to Amazon to tell the company about the device’s flaw earlier this month, and Amazon fixed the problem on April 10.

Amit Ashbel, Checkmarx’s director of product marketing, said Amazon shortened the amount of time Alexa continues to listen and removed the ability to silence Alexa’s reprompting dialog. Those adjustments make it impossible to re-create the hack. Amazon did not comment on the hack.

If you’re worried about Alexa listening in on you, you can always go into the app and delete your history.

Editors' Recommendations

Kayla Matthews
Kayla Matthews has written about smart homes and technology for Houzz, Dwell, Curbed and Inman. She is a senior writer for…
At long last, Amazon brings AI features to Alexa
Amazon SVP of Devices and Services Dave Limp demonstrates the Let's Chat feature of Alexa, powered by AI.

Nearly a year after ChatGPT introduced the world to the uncannily human possibilities of generative AI, Amazon has unveiled new Alexa features powered by large language models (LLM). At the annual Amazon Devices Event hosted at its new Arlington, Virginia, headquarters, the company announced some major Alexa improvements that will attempt to make replies much more conversational and lifelike, with less waiting time between your interactions and more meaningful replies.

A new feature called Let's Chat mimics the ChatGPT experience by allowing you to have a fluid conversation with Alexa, asking questions about everything from the voice assistant's football team allegiance to recipes. You can even ask it to write emails for you. In the demo with Dave Limp, outgoing senior vice president of devices and services, Alexa sometimes stalled and needed a second prompt to answer questions, suggesting the feature may still need some polish.

Read more
What is Amazon Alexa, and what can it do?
Echo 4th Gen speaker on table.

Amazon Alexa is an interactive voice assistant that can check the weather, launch your favorite playlist, and everything in between. Alexa can be found on most Amazon products, including the new Echo Pop, the iconic Echo Dot, and even a variety of smart thermostats, soundbars, lamps, and more. Aside from taking basic commands from you, Alexa can also dish out commands to the rest of your connected smart home -- making it easy to streamline your life.

Interested in learning more about Amazon Alexa? Then you’re in the right place. Here’s a closer look at where Alexa comes from, how it works, where it got its name, and just about everything else you’d want to know about the popular voice assistant and smart home savant.
Who/what is Alexa?

Read more
Amazon to pay $30M in FTC settlements over Alexa, Ring privacy violations
Amazon logo on the headquarters building.

Amazon has agreed to pay $25 million to the Federal Trade Commission (FTC) to settle charges over privacy violations linked to its digital assistant, Alexa.

In a separate case, Amazon-owned Ring will pay $5.8 million for violations of users’ privacy.

Read more