green-building-newsheader image
0 Helpful?

Hack Turns Amazon Echo Into a Wiretap

Researcher shows older models of the wi-fi device can stream audio to a distant server without the owner's knowledge

Posted on Aug 7 2017 by Scott Gibson

A British security researcher has demonstrated how the Amazon Echo, a wi-fi connected smart speaker, can be turned into a surveillance tool without the owner's knowledge.

Wired reports at its website the device can be hacked in just a few minutes without leaving any evidence. A hacker would need physical access to the Echo, and the technique works only on devices that were sold before 2017. However, the researcher, Mark Barnes, says there is no software fix for the modification and homeowners would have no way of knowing the device had been altered.

The Echo is part of the "internet of things," devices that allow their owners to access the internet, turn up the heat, lock and unlock windows and doors, and interact digitally with the world around them. With the added convenience comes added privacy risks.

In this case, Wired says, Barnes explained his technique and offered "proof of concept" code that would permit the Echo to stream an audio signal to a server elsewhere, essentially turning the Echo into an always-on wiretap.

"The Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering," Barnes writes. "Such malware could grant an attacker persistent remote access to the device, steal customer authentication tokens, and the ability to stream live microphone audio to remote services without altering the functionality of the device."

Barnes's technical paper details how the hacker would gain access to tiny pads on the base of the Echo by removing a rubber base. Barnes soldered in connections to an SD card and his laptop, allowing him to bypass the system's authentication measures and install his own software. With a little more development, Barnes says, it would be possible to make the connections in just a few minutes.

The software modifications allow Barnes to take over the Echo's microphones and stream audio to any remote computer he selects. The changes also would allow a hacker to gain access to other parts of the owner's network, including the owner's Amazon account, and install ransomware, Wired said.

Amazon has fixed the flaw in the most recent versions of Echo. Barnes, however, warned that people should be wary of the security risks of Echos that are installed in public and semi-public spaces — such as hotel rooms.


Tags:

Image Credits:

  1. Rob Brewer / CC BY-SA 2.0 / Flickr

1.
Aug 7, 2017 6:39 PM ET

Not just that
by Malcolm Taylor

I've probably posted this here already, but I can drive down the streets in the town near me with a friend who runs a security business and open garage doors, listen to conversations, watch babies sleeping and view security camera images - all this in houses without connections to the new generation of smart appliances and controls. None of which have even rudimentary security features.

The same is true of connected cars, talking dolls, smart TVs, refrigerators and God knows what else. Any group interested in you or your data has plenty of sources to mine it.


2.
Aug 7, 2017 6:47 PM ET

If someone is inside your
by Jon R

If someone is inside your house, there are lots of things that can be modified or installed to be listening devices. Don't worry about one more.

IMO, far worse is the fact that your laptop or phone can be hacked to be a listening device - without needing physical access.


Register for a free account and join the conversation


Get a free account and join the conversation!
Become a GBA PRO!