Researchers have found a way to make Amazon's Echo device quietly record users and transcribe what they have said.
Code testing firm Checkmarx took advantage of the Alexa Skill Kit - the software development tool set that allow programmers create new features and functions for the Alexa digital assistant on the Echo - and wrote a calculator app that could also record speech input unnoticed.
Skills for Alexa can be coded in C#, Java and Javascript, and come with intents which are voice-activated commands such as Cancel, Stop, and Help.
The research [pdf] showed that it was possible to abuse intents to create an app on the Amazon Echo device that would listen for up to 16 seconds, and record users' transcribed speech into a log file.
Thanks to the researchers disabling Alexa from prompting users for further input, there was no indication of the eavesdropping from the device.
Amazon was notified by the researchers and has pushed out an update that stops developers from using empty reprompts for input.
The update is also able to detect unusually long sessions.
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
