So guess what? It turns out some Amazon Echo devices can be turned into remote listening devices. MWR Labs was able to open a first generation Amazon Echo and add permanent code to the firmware that streamed live audio from the always-listening microphones to remote services.
Oh, but it gets better, because this attack could, “grant an attacker persistent remote access to the device [and] steal customer authentication tokens.” All without leaving any physical evidence of tampering.
Sounds cool, right? Think about that Echo in your hotel room. Or the Echo you left behind when a repair person, plumber, or baby sitter has the run of your house.
This is a wet dream for an intelligence operative, serious criminal, jealous/paranoid partner, mischievous teens, or a random asshat.
To be fair, an un-tampered with Amazon Echo or Echo Dot is a nightmare in my opinion. And that’s when it’s doing what it’s supposed to: always listening and sending data back to Amazon’s servers. But fine, lots of folks feel differently and are more than willing to allow these wiretaps into their houses.
This new exploit, though, should result in every first generation Echo being recalled. MWR Labs said second generation Echoes are not subject to this particular vulnerability.
First generation Echoes were made in 2015 and 2016, and have a model number ending in “01,” as shown below. Second generation Echoes made in 2017 have a model number ending in “02.”
Turning Amazon Echo into a Wiretap
Here’s how it works. The bottom plate of an Echo has 16 different debugging pads that are usable by anyone. Using these pads, you can force the Echo to boot from an external SD Card. MWR Labs was able to add their own code to the firmware on the device, permanently enabling the device to stream what it hears.
If you click through to MWR Labs’s full blog post, you can read through the necessary technical steps. And to be sure, this stuff isn’t super easy—but it’s not exactly super hard, either, especially now that they figured it out. There’s little doubt the process could be simplified and even automated.
“Rooting an Amazon Echo was trivial, [though] it does require physical access which is a major limitation,” the researchers wrote. “However, product developers should not take it for granted that their customers won’t expose their devices to uncontrolled environments such as hotel rooms.”
I couldn’t agree more.
[Via Tom’s Hardware]