Latest in Gear

Image credit: Engadget

Elaborate hack turned Amazon Echo speakers into spies

Thankfully, you weren't likely to see it in the wild.
744 Shares
Share
Tweet
Share
Save

Sponsored Links

Engadget

Some people worry that hackers could infiltrate their smart speakers and spy on them, but that hasn't been the practical reality -- not for Amazon's Echo, at least. A team of researchers from China's Tencent has come about as close as you can get right now, however. They've disclosed an attack on the Echo that uses both a modified speaker and a string of Alexa web interface vulnerabilities to remotely eavesdrop on regular models. It sounds nefarious, but it requires more steps than would be viable for most intruders.

The team created a rogue Echo by removing a flash memory chip from the device, modifying its firmware to get root access, and soldering it back on its circuit board. After that, the group put the speaker on the same WiFi network as untouched Echos. The researchers used Amazon's whole-home communication protocol plus the Alexa interface flaws (including address redirection, cross-site scripting and web encryption downgrades) to gain full control over victims' speakers, including silent recording and playing any sound they like.

Amazon has already fixed the associated internet vulnerabilities. As it stands, the likelihood of a real-world attack was small. A would-be eavesdropper would have to know how to disassemble the Echo, identify (and connect to) a network with other Echos and chain multiple exploits. This would be most useful in hotels and other places where a hacker could both expect smart speakers and hang out without drawing too much attention. If there's a larger concern, it's that this demonstrates a snooping exploit is possible in the first place -- no matter how unlikely it may be.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
744 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
AT&T reportedly considers offloading its DirecTV satellite unit

AT&T reportedly considers offloading its DirecTV satellite unit

View
T-Mobile’s Sprint merger is opposed by 18 state attorneys general

T-Mobile’s Sprint merger is opposed by 18 state attorneys general

View
HBO Max will revive 'The Boondocks' for a two-season run

HBO Max will revive 'The Boondocks' for a two-season run

View
Microsoft plans to bring broadband to 9 million more Americans

Microsoft plans to bring broadband to 9 million more Americans

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr