Many people have invited Amazon's virtual assistant, Alexa, into their homes. The service has expanded beyond Echo speakers to laptops, television sets and hotel rooms that promise to offer your own personal concierge. Yet a group of hackers from Def Con 26 this week have shown once again that setting up a bunch of internet-connected microphones in both public and private spaces can have serious privacy implications.
That's because the Echo speakers that house Alexa have been hacked. Again. The hack demonstrated at Def Con 26 used multiple vulnerabilities to compromise an Echo speaker, use it to affect other speakers on the same network and then have Alexa eavesdrop without any warning.
The good news is that Amazon has already released a patch to prevent this particular hack from working. The company has been quick to resolve security issues found in Echo speakers, especially when compared to other Internet of Things (IoT) product makers, many of which simply allow their devices to be riddled with vulnerabilities. Amazon's swift response to hacks like this one is a welcome change for this sector.
Yet these hacks continue to show that it's possible to use Alexa-equipped microphones for mischief. It doesn't even have to be intentional. Remember the Portland family that discovered their Echo sent parts of their conversations to random contacts? That didn't result from someone hacking the speaker; it happened after a series of unfortunate events led to Alexa doing what it thought it was being told.
That's not all the hackers demonstrated at Def Con 26. Their notes about the presentation explain:
"In this talk, we will present how to use multiple vulnerabilities to ... remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
We expect hacks like this to continue surfacing. As more companies introduce smart speakers (even Facebook is reportedly planning to make one), it's likely more people will buy them. Just like anything else with an internet connection, if these products become popular enough, a lot of effort will be spent finding ways to bypass their security. Here's to hoping none of those microphones hear anything interesting.