Amazons Alexa Could be Tricked into Spying on Users

Amazon's Alexa Could be Tricked into Spying on Users

Researchers at Checkmarx were able to build an Alexa skill which could be used to spy on users within earshot. Amazon has now closed the loophole.

Security researchers say they have found a way to make Amazon's Alexa listen in on its users indefinitely, and provide a transcript of everything said in front of the device.

Researchers at cybersecurity firm Checkmarx were able to create an Alexa skill - an applications for the voice-activated assistant - that was able to eavesdrop on users. They created what appeared to be a simple calculator skill for solving math problems but it was actually designed to send transcripts of anything said within earshot of the device back to its creators.

The Alexa service is designed to be fully awake and listening when the user requests the device to list. The active cycle is supposed to be relatively short, with Alexa informing the user when an open session is closed and it is going back to sleep. Researchers decided to examine if the way Alexa listens like this could be exploited.

Once Alexa has performed a task, the code makes a "Should End Session" query, in order to determine if the session remains open or closed after Alexa reads back text, potentially allowing Alexa to stay active for another session. In order to stay active for another session, Alexa sends the user a vocal prompt, informing them that it is still active.

However, researchers found that Alexa's API accepts an empty reprompt code, allowing the vocal prompt to be silent. That means that while Alexa believes it has told the user that the device is still listening, the user is unaware that this is the case.

The blue light on the Echo could give away that the device is still active, but it's possible that users won't notice, or simply won't be looking at the device.

“Echo users need to recognize that 'Alexa Skills' are third-party applications. Just like with any other computing device, users need to be cautious about what applications (or skills) they load and who is providing them. Poorly designed or blatantly malicious applications can lead to degraded user experience as well as privacy or security exposures," security researcher for Tripwire's Vulnerability and Exposure Research Team, Craig Young said. “I would not necessarily call this a security loophole on the part of Amazon. The bottom line here is that for this ‘hack’ to work, a user must load and activate the malicious skill and then ignore the fact that Echo’s blue light remains on.”

Checkmarx disclosed its findings to Amazon, which told the media that it has acted to ensure that skills can no longer be exploited in this way.

"Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do," a spokesperson said.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

  • AI Is Now the Leading Cybersecurity Concern for Security, IT Leaders

    Arctic Wolf recently published findings from its State of Cybersecurity: 2025 Trends Report, offering insights from a global survey of more than 1,200 senior IT and cybersecurity decision-makers across 15 countries. Conducted by Sapio Research, the report captures the realities, risks, and readiness strategies shaping the modern security landscape. Read Now

  • Analysis of AI Tools Shows 85 Percent Have Been Breached

    AI tools are becoming essential to modern work, but their fast, unmonitored adoption is creating a new kind of security risk. Recent surveys reveal a clear trend – employees are rapidly adopting consumer-facing AI tools without employer approval, IT oversight, or any clear security policies. According to Cybernews Business Digital Index, nearly 90% of analyzed AI tools have been exposed to data breaches, putting businesses at severe risk. Read Now

  • Software Vulnerabilities Surged 61 Percent in 2024, According to New Report

    Action1, a provider of autonomous endpoint management (AEM) solutions, today released its 2025 Software Vulnerability Ratings Report, revealing a 61% year-over-year surge in discovered software vulnerabilities and a 96% spike in exploited vulnerabilities throughout 2024, amid an increasingly aggressive threat landscape. Read Now

  • Motorola Solutions Named Official Safety Technology Supplier of the Ryder Cup through 2027

    Motorola Solutions has today been named the Official Safety Technology Supplier of the 2025 and 2027 Ryder Cup, professional golf’s renowned biennial team competition between the United States and Europe. Read Now

  • Evolving Cybersecurity Strategies

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.