Amazon Alexa was built to turn Echo speakers into covert listening devices

Matthew Field
Amazon Echo speakers - Bloomberg

Amazon's Echo speakers featured a bug that could have allowed hackers eavesdrop on people in their homes. 

Security researchers found a way to listen in on and transcribe conversations taking place near a speaker, thanks to a flaw which has since been fixed. 

Amazon Echo speakers listen out for the word "Alexa", the name of its voice assistant, before completing a command, like "Alexa, read tell me today's news". Any interaction with Alexa is recorded to improve the service, but once the command is finished, Alexa stops recording.

But security researchers from Checkmarx developed an Alexa Skill that would have been an Echo user's worst nightmare. The Skill, a voice app that can be installed on an Echo speaker, would keep Alexa listening long after it should have switched itself off and automatically transcribe what it hears for an attacker.

When an Alexa skill completes its task it is supposed to stop listening. However, sometimes Alexa doesn't hear a command correctly, which will lead the Echo to ask for the user to repeat it. This "re-prompt" feature could be exploited, the researchers found, and be programmed to carry on listening, while muting Alexa's responses.

Amazon's new Echo Dot speakers Credit: AP

The only sign the Echo was still on was a blue light ring, which normally lights up when Alexa receives a command. 

"For the Echo... listening is key," Checkmarx said. "However, with this device's rise in popularity, one of today's biggest fears in connection to such devices is privacy. Especially when it comes to a user's fear of being unknowingly recorded."

Amazon Alexa | Everything you need to know

Amazon has since addressed the flaw to better detect Skills which appear to be built for listening to users and automatically detecting long listening sessions by an Echo. Manipulating the Echo didn't actually require any attacks on the Echo itself, only a Skill coded to exploit its current features.

"We have put mitigations in place for detecting this type of Skill behavior and reject or suppress those Skills when we do," Amazon said.

It's not the first flaw found on Amazon's Echo. Last year it was revealed second hand Echo devices could be tampered with to be turned into listening devices.