New research released by MWR InfoSecurity reveals how attackers can compromise the Amazon Echo and turn it into a covert listening device, without affecting its overall functionality.
British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server.
The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there’s no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.
“We present a technique for rooting an Amazon Echo and then turning it into a ‘wiretap’,” writes Barnes, who works as a security researcher for Basingstoke, UK-based MWR Labs.
The method takes advantage of a physical security vulnerability Amazon left in its pre-2017 Echo units: Remove the rubber base at the bottom of the Amazon Echo, the research team could access the 18 debug pads and directly boot into the firmware of the device, via an external SD card, and install persistent malware without leaving any physical evidence of tampering. This gained them remote root shell access and enabled them to access the “always listening” microphones.
After gaining the ability to write his own software to the Echo, Barnes wrote a simple script that takes over its microphone functions and streams its audio to any remote computer he chooses. But he points out that his malware could just as easily perform other nasty functions, like using it as an access point to attack other parts of the network, stealing access to the owner’s Amazon account, or installing ransomware. “You can make it do whatever you want, really,” Barnes says.
The vulnerability has been confirmed to affect the 2015 and 2016 editions of the device. The 2017 edition of the Amazon Echo is not vulnerable to this physical attack. The smaller Amazon Dot model also does not carry the vulnerability.