Hackers turn Amazon Echo into a spying device using just an SD card
It may sound like a plot line from Spy Kids: The Millennial Edition but security researchers have found that the Amazon Echo is vulnerable to tampering which could turn it into a covert piece of surveillance equipment. All this, without affecting its functionality.
Hackers were able to install malicious software simply by removing the base of the Echo, accessing the 18 debug pads and running the malware via an external SD card into the firmware. This gave them remote root shell access, which in turn gave access to the ‘always listening’ microphones.
According to Mark Barnes, Security Consultant at MWR InfoSecurity: “The rooting of the Amazon Echo device in itself was trivial; however, it raises a number of important questions for manufacturers of internet-enabled or ‘Smart Home’ devices.”
He later continued that this research highlights the need for “manufacturers to think about both the physical and digital security risks that the devices may be subjected to and mitigate them at the design and development stage.”
While Amazon has done a considerable amount to minimise the potential attack surface, these two hardware design choices – the unprotected debug pads and the hardware configuration setting that allows the device to boot via an external SD card – are exposing consumers to an “unnecessary risk.”
READ NEXT: Best Alexa Skills
Of course the biggest limitation of this vulnerability is the fact a hacker needs physical access to the device. So, provided your device is safely ensconced in the confines of your home and you didn’t birth the 15-year-old who hacked Talk-Talk, you’re likely to be physically out of reach from attackers.
It shouldn’t be taken for granted, though, that consumers won’t expose the devices to uncontrolled environments that places their security and privacy at risk. The vulnerability also only applies to the 2015 and 2016 editions of Amazon Echo. The 2017 model is not vulnerable, nor is its smaller sibling model, the Amazon Echo Dot.
To identify whether you have a vulnerable device on your hands, you can check the original pack for a 2017 copyright and a device model number ending in 002.
If you happen to have an older model, there are measures you can take to minimise risk which include using the physical mute button to disable the microphone for any private conversations. The more tech-savvy among you may also opt to monitor the network traffic of the device and look for any anomalous activity as a warning sign. An obvious choice would be to purchase your Echo from Amazon or a trusted retailer, thereby safeguarding against pre-existing malware that could be used to record your conversations.
Image: Ben Fruen, used under Creative Commons