Alexa's Listening: Hackers Turn Amazon Echo Into a Snitch
Many people have invited Amazon's virtual assistant, Alexa, into their homes. The service has expanded beyond Echo speakers to laptops, television sets and hotel rooms that promise to offer your own personal concierge. Yet a group of hackers from Def Con 26 this week have shown once again that setting up a bunch of internet-connected microphones in both public and private spaces can have serious privacy implications.
That's because the Echo speakers that house Alexa have been hacked. Again. The hack demonstrated at Def Con 26 used multiple vulnerabilities to compromise an Echo speaker, use it to affect other speakers on the same network and then have Alexa eavesdrop without any warning.
The good news is that Amazon has already released a patch to prevent this particular hack from working. The company has been quick to resolve security issues found in Echo speakers, especially when compared to other Internet of Things (IoT) product makers, many of which simply allow their devices to be riddled with vulnerabilities. Amazon's swift response to hacks like this one is a welcome change for this sector.
Yet these hacks continue to show that it's possible to use Alexa-equipped microphones for mischief. It doesn't even have to be intentional. Remember the Portland family that discovered their Echo sent parts of their conversations to random contacts? That didn't result from someone hacking the speaker; it happened after a series of unfortunate events led to Alexa doing what it thought it was being told.
That's not all the hackers demonstrated at Def Con 26. Their notes about the presentation explain:
"In this talk, we will present how to use multiple vulnerabilities to ... remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
We expect hacks like this to continue surfacing. As more companies introduce smart speakers (even Facebook is reportedly planning to make one), it's likely more people will buy them. Just like anything else with an internet connection, if these products become popular enough, a lot of effort will be spent finding ways to bypass their security. Here's to hoping none of those microphones hear anything interesting.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
stdragon All these AI bot are little snitches. It's framework that once the Gov gets a backdoor into, it'll be a surveillance state wetdream!Reply
-
bit_user I'm waiting for a virus that turns the AI into an "evil Alexa" that starts insulting the user, ignoring them, randomly shouting insults, and dissing them in front of their friends. The most insidious thing would be if it starts changing slowly. So, at first, you almost don't even notice.Reply -
rantoc Inviting any IoT into the home is a disaster waiting to happen, how is this anyhow surprising considering IoT devices track-record when it comes to security?Reply -
sadsteve What a shock!! NOT.Reply
It's kind of a foregone conclusion that someone's going to try to hack any and all IoT devices. -
10tacle As our society trends towards slacker convenience like the latest "smart home" trends like Alexa, the more our personal security will be put in jeopardy. It's as simple as that. I am not aware of an antivirus program that protects "smart" appliances from being compromised and being turned on remotely by a hacker to burn a house down. The Target hackers found their way into that retail store company's database full of customer credit card data by going through their "smart" HVAC network.Reply
Think about that: a hacker could theoretically remotely turn on the gas burners of a homeowner's "smart" stove without actually igniting them when nobody's home. Then when the homeowner comes home that's full of natural gas fumes in the wintertime and static electricity discharges, it's game over man....game over. -
g.evans Anything that can be done with technology, can be undone with technology. Anything thing that technology can make, technology can break. Greg Evans - 1995Reply