Skip to main content

Alexa's Listening: Hackers Turn Amazon Echo Into a Snitch

Source: Amazon

Many people have invited Amazon's virtual assistant, Alexa, into their homes. The service has expanded beyond Echo speakers to laptops, television sets and hotel rooms that promise to offer your own personal concierge. Yet a group of hackers from Def Con 26 this week have shown once again that setting up a bunch of internet-connected microphones in both public and private spaces can have serious privacy implications.

That's because the Echo speakers that house Alexa have been hacked. Again. The hack demonstrated at Def Con 26 used multiple vulnerabilities to compromise an Echo speaker, use it to affect other speakers on the same network and then have Alexa eavesdrop without any warning.

The good news is that Amazon has already released a patch to prevent this particular hack from working. The company has been quick to resolve security issues found in Echo speakers, especially when compared to other Internet of Things (IoT) product makers, many of which simply allow their devices to be riddled with vulnerabilities. Amazon's swift response to hacks like this one is a welcome change for this sector.

Yet these hacks continue to show that it's possible to use Alexa-equipped microphones for mischief. It doesn't even have to be intentional. Remember the Portland family that discovered their Echo sent parts of their conversations to random contacts? That didn't result from someone hacking the speaker; it happened after a series of unfortunate events led to Alexa doing what it thought it was being told.

That's not all the hackers demonstrated at Def Con 26. Their notes about the presentation explain:

"In this talk, we will present how to use multiple vulnerabilities to ... remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."

We expect hacks like this to continue surfacing. As more companies introduce smart speakers (even Facebook is reportedly planning to make one), it's likely more people will buy them. Just like anything else with an internet connection, if these products become popular enough, a lot of effort will be spent finding ways to bypass their security. Here's to hoping none of those microphones hear anything interesting.

  • stdragon
    All these AI bot are little snitches. It's framework that once the Gov gets a backdoor into, it'll be a surveillance state wetdream!

    Reply
  • bit_user
    I'm waiting for a virus that turns the AI into an "evil Alexa" that starts insulting the user, ignoring them, randomly shouting insults, and dissing them in front of their friends. The most insidious thing would be if it starts changing slowly. So, at first, you almost don't even notice.
    Reply
  • rantoc
    Inviting any IoT into the home is a disaster waiting to happen, how is this anyhow surprising considering IoT devices track-record when it comes to security?
    Reply
  • sadsteve
    What a shock!! NOT.

    It's kind of a foregone conclusion that someone's going to try to hack any and all IoT devices.
    Reply
  • 10tacle
    As our society trends towards slacker convenience like the latest "smart home" trends like Alexa, the more our personal security will be put in jeopardy. It's as simple as that. I am not aware of an antivirus program that protects "smart" appliances from being compromised and being turned on remotely by a hacker to burn a house down. The Target hackers found their way into that retail store company's database full of customer credit card data by going through their "smart" HVAC network.

    Think about that: a hacker could theoretically remotely turn on the gas burners of a homeowner's "smart" stove without actually igniting them when nobody's home. Then when the homeowner comes home that's full of natural gas fumes in the wintertime and static electricity discharges, it's game over man....game over.
    Reply
  • g.evans
    Anything that can be done with technology, can be undone with technology. Anything thing that technology can make, technology can break. Greg Evans - 1995
    Reply