Security

Hackers manage – just – to turn Amazon Echoes into snooping devices

But it requires custom hardware, firmware and access to your Wi-Fi


DEF CON Hackers have managed to hack Amazon's Echo digital assistant and effectively turn it into a listening device, albeit through a complex and hard-to-reproduce approach.

Talking at the DEF CON hacking conference in Las Vegas, two Chinese security researchers working for Tencent, outlined how they had used a specially modified Echo to access other Echos on the same wireless network and then turn them into bugging devices.

They used "multiple vulnerabilities to achieve remote attack some of the most popular smart speakers," they noted, adding: "Our final attack effects include silent listening, control speaker speaking content and other demonstrations."

It wasn't an easy hack: the two had to remove a flash memory chip on their modified Echo, upload new firmware and then solder it back on to the device. They then accessed the same Wi-Fi network as their target before taking advantage of Amazon's software feature that allows different Echo devices to communicate with one another.

Once achieved, they were then able to listen in silently to audio heard by other Echos on the Wi-Fi as well as control the other devices, playing selected audio and so on.

(This is obviously bad news for places like hotels that pop an Echo in each room and on the same network.)

The hack worked by accessing the Alexa interface through Amazon's website using a range of vulnerabilities – URL redirection, HTTPS downgrade and cross-site scripting – and then accessing other devices on the same network.

If anything the complexity of the hack and the need to be physically close to other devices to hack them, as well as knowing the Wi-Fi password, demonstrates that Amazon has locked down its Echo devices. The researchers told Amazon about their exploit and the company has already patched the holes they used, they noted.

That's not to say that the exploit is worthless however: the researchers – Wu HuiYu and Qian Wenxiang – noted that having done the process a few times they were able to carry out the hardware/firmware modification within 15 minutes and it has worked every time.

Public space

With digital assistant technology becoming widely accepted and understand, companies are considering placing it in increasingly public spaces like schools and hotels – which increases the likelihood of someone using a similar technique with a modified device – which could be very small.

It is not inconceivable that someone would attach a series of Echoes to the same network with one of them publicly accessible and so potentially allow a hacker to brute-force access to their Wi-Fi network and then listen in on other devices that are on more private settings.

It's the sort of thing that someone might use in a specific targeted attack on a particular person or company, especially if an Echo is sat in a private office or conference room.

As you might expect, this is not the first attempt to hack into Amazon's digital assistant. Last year Amazon (and Google) updated their devices to squash a Bluetooth bug that could provide access to devices – again, though, only if an attacker is physically close to the device.

Others have tried to hack the device through the most obvious route – the Echo's so-called "skills" where third parties can have their applications work with the device. In that case it is possible to create a "skill" that can introduce malware into the system but it requires users to actively add it to their system, and so requires an extra level of deception on an attacker's part.

Physical access

The difficulty in accessing the Amazon Echo is due to the fact that it only interacts directly with Amazon's cloud services over an encrypted connection.

In that sense, it is quite a tightly controlled system, despite the appearance of being open to abuse. In each successful case of hacking, the attacker has had to be physically close to or actually have access to the device itself.

You know that silly fear about Alexa recording everything and leaking it online? It just happened

READ MORE

The biggest security risk therefore comes from Amazon itself: earlier this year a private conversation between a married couple was recorded and emailed to someone on the husband's contact list after the software decided it had heard a series of commands telling it to record a voice memo and send it to that individual. In reality, they had been discussing hardwood floors.

And then of course there is the fact that the authorities could demand access to your Echo recordings, as the FBI did in a murder case back in 2016. Amazon resisted but before the issue hit the courts it became moot when the suspect in the case, James Andrew Bates, agreed to the release.

What isn't clear is whether Amazon is capable of overriding its system to listen in permanently, rather than require it to wait for the "wake word" before listening, and so act as a live bug (the device holds a two-second audio buffer).

It's not impossible that in an ongoing investigation that the FBI – or others – could get a judge to order Amazon to let them listen into a specific device. But then, if you are the sort of person that is likely to be directly targeted by an FBI investigation then presumably you've considered that the extra utility gained from an Amazon Echo may not be worth the risk of having a potential bug in your home or office. ®

Send us news
25 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

Garlic chicken without garlic? Critics think Amazon recipe book was cooked up by AI

Twitter tipster points to suspicious signs from author producing thousands of recipes

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

White House and lawmakers increase pressure on UnitedHealth to ease providers' pain

US senator calls cyber attack 'inexcusable,' calls for mandatory security rules

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say