Amazon Echo can be turned into a secret spying tool

by Gabriel E. Hall - - 2017-08-02

Physical attack can turn Amazon Echo into a microphone

British researchers found out that Amazon Echo speaker can be turned into a spying tool. By exploiting a physical vulnerability, the attackers can install malware, get remote access to the device and convert it into the secret microphone.^[1] As a result, hackers can obtain sensitive information.

Amazon Echo is a smart speaker that connects to the personal assistant service Alexa. Thus this speaker can be controlled by human’s voice. This multifunctional device can not only play music but also set alarms, provide weather information or even control other smart devices. ^[2].

While this issue may not be the major problem for all Amazon Echo users; this recent discovery should increase awareness about security in general. If these smart devices are left without surveillance, for instance in the office, you cannot be certain if it cannot be hacked.

The hijack is based on physical security vulnerability

The researcher Mark Barnes claims that his physical vulnerability exists only in 2015 and 2016 versions of the Amazon Echo. However, the recent version, which was released in 2017, does not have this issue.

The problem is related to the design of the gadget. By removing the rubber base of the device, attackers can access 18 debug pads. What is more, device’s hardware configuration settings allow booting Amazon Echo from the external SD card.

The combination of these two vulnerabilities allows attackers to get the remote access to the device by accessing the root shell on the Linux operating system. In this way, hackers can install malware and turn the gadget into the listening device.

The advantage of this attack is that it does not leave any physical evidence. The rubber base can be easily put back to its place after the evil task is done. Of course, finger prints on the gadget may help to identify the attackers, but we doubt that criminals would make such mistake.

Amazon fixed a detected security flaw

The recent version of the Amazon Echo does not include this security vulnerability. In 2017 Amazon changed hardware. As a result, the device is no longer available to connect remotely by accessing is SD card. What is more, users are advised to purchase this gadget only from the Amazon or trusted retailers.

Security experts agree that purchasing this smart speaker or any other device that belongs to the Internet of Things^[3] category might be risky. These devices might be compromised and used for cyber criminals to obtain sensitive information about users.

What is more, owning smart devices, such as Echo, also requires taking care of its updates. Cyber criminals might also launch attacks at the software level. Therefore, it’s important to install all available updates.^[4]

Lastly, if you are looking for a speaker, you should keep in mind that Echo released in 2015 and 2016 remain vulnerable to physical attacks. Therefore, you should look up for the recently released device in order to buy the most secure gadget.

If you suspect that your Amazon Echo might be hacked, users should mute the device. If someone is spying on you, they will unmute the gadget.^[5]

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Mark Barnes. Alexa, are you listening?. The MWR Labs blog. The latest security research, updates and developments.
^ Amazon Echo. Wikipedia. The free encyclopedia.
^ Brian Buntz. The 10 Biggest IoT Security Vulnerabilities. IoT Institute. The IoT Institute and IoT World News.
^ Gary Robbins. Tips on protecting your privacy on Amazon Echo and Google Home. San Diego Union Tribune. San Diego News, California & National News.
^ Andy Greenberg. A Hacker Turned An Amazon Echo Into A 'Wiretap'. Wired. The website about science, design, video, culture, gear and more.