Smart speaker plays right into hackers’ hands
EAVESDROPPERS could be listening to people’s private conversations using a security problem with Amazon’s Echo smart speaker, hackers have revealed.
Researchers have discovered a way to turn the Echo speaker into a “wiretap” that sends all recordings to a hacker’s computer in a security flaw that will confirm consumers’ fears about the device that is always listening.
The vulnerability could let cyber criminals listen to microphone recordings from people’s homes, see an owner’s Amazon credentials, steal sensitive information, or take control of the device.
“Someone could use [the hack] to install malicious software on the device and turn it into a wiretap without the person who owns the Echo knowing,” said Mark Barnes, one of the MWR security consultants who discovered the problem.
The problem is found in the hardware of the initial version of the speaker, released in the UK in 2016. Using a weakness hidden underneath a flap at the base of the device, hackers could attach a malicious storage card that would give them access to the operating system of the Echo. Although the hack requires physical access to the Echo, it is very difficult to see when a device has been tampered with, the researchers said.
From here, cyber criminals could infiltrate the user’s Amazon account, the apps on the speaker, and the system that is always listening for the wake word, normally “Alexa”. The latter would allow them to hear all conversations that happen in the vicinity of the speaker.
Original Amazon Echo speakers, released in the UK last year, are affected by the vulnerability, rather than the smaller Echo Dot. Amazon has fixed the problem in new models released in 2017.
MWR advised people who want to buy an Echo to check the date the product was made on the back of the box by the serial number. It said to avoid buying the 2016 device second-hand, in case it has been tampered with, and to check the box for a new product is sealed.
Amazon said: “To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”