DEF CON Hackers have managed to hack Amazon's Echo digital assistant and effectively turn it into a listening device, albeit through a complex and hard-to-reproduce approach.
Talking at the DEF CON hacking conference in Las Vegas, two Chinese security researchers working for Tencent, outlined how they had used a specially modified Echo to access other Echos on the same wireless network and then turn them into bugging devices.
They used "multiple vulnerabilities to achieve remote attack some of the most popular smart speakers," they noted, adding: "Our final attack effects include silent listening, control speaker speaking content and other demonstrations."
It wasn't an easy hack: the two had to remove a flash memory chip on their modified Echo, upload new firmware and then solder it back on to the device. They then accessed the same Wi-Fi network as their target before taking advantage of Amazon's software feature that allows different Echo devices to communicate with one another.
Once achieved, they were then able to listen in silently to audio heard by other Echos on the Wi-Fi as well as control the other devices, playing selected audio and so on.
(This is obviously bad news for places like hotels that pop an Echo in each room and on the same network.)
The hack worked by accessing the Alexa interface through Amazon's website using a range of vulnerabilities – URL redirection, HTTPS downgrade and cross-site scripting – and then accessing other devices on the same network.
If anything the complexity of the hack and the need to be physically close to other devices to hack them, as well as knowing the Wi-Fi password, demonstrates that Amazon has locked down its Echo devices. The researchers told Amazon about their exploit and the company has already patched the holes they used, they noted.
That's not to say that the exploit is worthless however: the researchers – Wu HuiYu and Qian Wenxiang – noted that having done the process a few times they were able to carry out the hardware/firmware modification within 15 minutes and it has worked every time.
With digital assistant technology becoming widely accepted and understand, companies are considering placing it in increasingly public spaces like schools and hotels – which increases the likelihood of someone using a similar technique with a modified device – which could be very small.
It is not inconceivable that someone would attach a series of Echoes to the same network with one of them publicly accessible and so potentially allow a hacker to brute-force access to their Wi-Fi network and then listen in on other devices that are on more private settings.
It's the sort of thing that someone might use in a specific targeted attack on a particular person or company, especially if an Echo is sat in a private office or conference room.
As you might expect, this is not the first attempt to hack into Amazon's digital assistant. Last year Amazon (and Google) updated their devices to squash a Bluetooth bug that could provide access to devices – again, though, only if an attacker is physically close to the device.
Others have tried to hack the device through the most obvious route – the Echo's so-called "skills" where third parties can have their applications work with the device. In that case it is possible to create a "skill" that can introduce malware into the system but it requires users to actively add it to their system, and so requires an extra level of deception on an attacker's part.
The difficulty in accessing the Amazon Echo is due to the fact that it only interacts directly with Amazon's cloud services over an encrypted connection.
In that sense, it is quite a tightly controlled system, despite the appearance of being open to abuse. In each successful case of hacking, the attacker has had to be physically close to or actually have access to the device itself.
You know that silly fear about Alexa recording everything and leaking it online? It just happenedREAD MORE
The biggest security risk therefore comes from Amazon itself: earlier this year a private conversation between a married couple was recorded and emailed to someone on the husband's contact list after the software decided it had heard a series of commands telling it to record a voice memo and send it to that individual. In reality, they had been discussing hardwood floors.
And then of course there is the fact that the authorities could demand access to your Echo recordings, as the FBI did in a murder case back in 2016. Amazon resisted but before the issue hit the courts it became moot when the suspect in the case, James Andrew Bates, agreed to the release.
What isn't clear is whether Amazon is capable of overriding its system to listen in permanently, rather than require it to wait for the "wake word" before listening, and so act as a live bug (the device holds a two-second audio buffer).
It's not impossible that in an ongoing investigation that the FBI – or others – could get a judge to order Amazon to let them listen into a specific device. But then, if you are the sort of person that is likely to be directly targeted by an FBI investigation then presumably you've considered that the extra utility gained from an Amazon Echo may not be worth the risk of having a potential bug in your home or office. ®