Amazon’s original Echo smart speaker can be hacked into a 24/7 live microphone, perpetually beaming anything it can hear to a remote server. The flaw was identified by Mark Barnes, a British security researcher who figured out that certain Echo models could be compromised with just a little hands-on time. While the exploit can’t be used to remotely modify an Echo, it could nonetheless fuel the privacy complaints of those uncomfortable with putting internet-connected microphones into their home or office.
Barnes’ trick takes advantage of one of the physical design decisions Amazon made when it created the original echo. While it connects to a user’s network via WiFi, and only has a visible power connection on the rear, there’s actually a whole host of debug connections available if you know where to look. Peel off the rubber foot on the base of the Echo, and you find 18 pads which are used for debugging purposes.
Prior research already figured out what each of these pads do, including the fact that by hooking up an external SD Card to them the Echo could be made to boot into a generic Linux environment. Barnes takes that several stages further, though. He managed to not only install a persistent implant and gain remote root shell access, but to “remotely snoop” using the Echo’s seven microphone array.
Notably, for the actual user of the Echo, nothing appears different following the hack. Alexa’s functionality continues unaffected, but in the background everything the microphones can hear is sent as a stream to a remote device, where it could be recorded to played back. Given one of the strengths of the Echo’s setup is the range of its far-field microphones, that could be a good amount of data from the typical home or office.
As Barnes points out, though, the Echo does have an option to turn off the microphones altogether. Press the mic-mute button on the top, and the microphone array will be disconnected. Since it’s a hardware connection, too, it can’t be circumnavigated by sneaky software.
Amazon, meanwhile, also put a stop to remote boot exploits in the most recent 2017 models of the Echo. By internally connecting two of the pads, it blocked communications with an external SD card, and thus prevented external booting as Barnes used for his exploit. Nonetheless as this is a physical change there’s no way for Amazon to “patch” original Echo units from 2015 and 2016 to secure them in the same way.
“To identify if a device is vulnerable you can check the original pack for a 2017 copyright and a device model number ending 02,” Barnes points out. The scope for malicious use is, undoubtedly, limited by the fact that a hacker with nefarious intent would need to first ascertain whether the Echo is one of the potentially compromised models, and then gain physical access to it. Even so, as the security researcher highlights, we’ve seen several hotel chains and similar install smart speakers in their rooms for voice control over streaming music and other features.
Most recently, privacy advocate concerns have ramped up over the Echo Show, Amazon’s latest Echo model. That not only adds a touchscreen display, but a front-facing camera which can be used for video calling. Most controversially, there’s an – optional, and disabled by default – feature called Drop In, which allows approved contacts to remotely turn on your camera without requiring any interaction on the Echo Show itself.
Update: An Amazon spokesperson gave SlashGear the following statement:
“Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date”
MORE Mark Barnes