Latest in Gear

Image credit:

Elaborate hack turned Amazon Echo speakers into spies

Thankfully, you weren't likely to see it in the wild.
Jon Fingas, @jonfingas
August 12, 2018
Share
Tweet
Share

Sponsored Links

Engadget

Some people worry that hackers could infiltrate their smart speakers and spy on them, but that hasn't been the practical reality -- not for Amazon's Echo, at least. A team of researchers from China's Tencent has come about as close as you can get right now, however. They've disclosed an attack on the Echo that uses both a modified speaker and a string of Alexa web interface vulnerabilities to remotely eavesdrop on regular models. It sounds nefarious, but it requires more steps than would be viable for most intruders.

The team created a rogue Echo by removing a flash memory chip from the device, modifying its firmware to get root access, and soldering it back on its circuit board. After that, the group put the speaker on the same WiFi network as untouched Echos. The researchers used Amazon's whole-home communication protocol plus the Alexa interface flaws (including address redirection, cross-site scripting and web encryption downgrades) to gain full control over victims' speakers, including silent recording and playing any sound they like.

Amazon has already fixed the associated internet vulnerabilities. As it stands, the likelihood of a real-world attack was small. A would-be eavesdropper would have to know how to disassemble the Echo, identify (and connect to) a network with other Echos and chain multiple exploits. This would be most useful in hotels and other places where a hacker could both expect smart speakers and hang out without drawing too much attention. If there's a larger concern, it's that this demonstrates a snooping exploit is possible in the first place -- no matter how unlikely it may be.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Google is testing a way to activate Assistant without wake words

Google is testing a way to activate Assistant without wake words

View
Quibi's shutdown is scheduled for 'on or about' December 1st

Quibi's shutdown is scheduled for 'on or about' December 1st

View
Google Fi's phone subscription gets you a Pixel 4a for just $15 per month

Google Fi's phone subscription gets you a Pixel 4a for just $15 per month

View
Jabra's ANC update for the Elite 75t earbuds is now available

Jabra's ANC update for the Elite 75t earbuds is now available

View
'Uncharted' set photos offer our first look at Tom Holland as Nathan Drake

'Uncharted' set photos offer our first look at Tom Holland as Nathan Drake

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr