Amazon Echo hacked to allow continuous remote eavesdropping

Amazon Echo devices older than 2017 can be physically hacked and turned into a 'wiretap.' Researchers urge caution when buying second-hand devices.

Amazon Echo hacked to allow continuous remote eavesdropping
Amazon

A 9-year-old Massachusetts boy broke into his neighbor’s apartment, not once but three times, and made off with various goodies, including an iPhone and Amazon Echo. He might have gotten away with it except his neighbor had an audio recording of his voice thanks to Alexa. She told police she recognized her young neighbor’s voice, and according to The Gloucester Times, he now faces charges of breaking and entering and larceny.

Under Settings in the Alexa app, you can check out History like she did. By tapping on items in History, you can review what has been said to Alexa, hear the audio recordings and even individually delete those voice recordings. You can wipe all voice recordings at once via the Amazon app under Your Account>Manage Voice Recordings, then select Delete.

That would not work, however, if your Echo had been rooted and turned into a “wiretap.” That’s something security researcher Mark Barnes from MWR Labs was able to do.

MWR Labs explained:

The Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering. Such malware could grant an attacker persistent remote access to the device, steal customer authentication tokens, and the ability to stream live microphone audio to remote services without altering the functionality of the device.

Unlikely to happen to your Echo, but be wary of buying second-hand versions

The fact that physical access is required makes it unlikely it will happen to your Echo. It also works only on 2015 and 2016 editions of Amazon Echo devices, as they had a rubber base that can be popped off to reveal 18 debug pads. Neither the 2017 Echo model, nor the Amazon Dot, are vulnerable.

If a knowledgeable attacker did have access to an older Echo, Barnes noted that rooting it is “trivial.” After rooting the Echo, the researchers wrote a script to continuously grab the raw microphone audio data.

Barnes called the physical access requirement a “major limitation.” The how-to is out there now, so maybe that should give you pause before you purchase a second-hand Echo.

Watch out for Echo devices in hotel rooms

It might also be a good idea to immediately hit the mute button on the top of any Echo found inside hotel rooms just in case it has been hacked to provide attackers 24/7 eavesdropping capabilities.

The devices being installed in hotel rooms is far from common, but when the Wynn Hotel in Las Vegas announced plans “to equip all 4,748 hotel rooms” with an Echo, the hotel said, “Alexa will be fully operational in all guest rooms by summer 2017.”

Amazon responded to the turn-Alexa-into-a-spy news by urging customers to “purchase Amazon devices from Amazon or a trusted retailer” and to “keep their software up to date.” It should be noted, however, that updated software would do nothing to prevent a hacked Echo from continuously listening in.

MWR Labs concluded:

The Amazon Echo does include a physical mute button that disables the microphone on the top of the device or can be turned off when sensitive information is being discussed (this is a hardwire mechanism and cannot be altered via software). Although the Echo brings about questions of privacy with its ‘always listening’ microphones, many of us walk around with trackable microphones in our pockets without a second thought.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.