The Amazon Echo, that living room gadget that acts as a home for the Alexa smart personal assistant, can be hacked to allow eavesdropping on unsuspecting consumers.
Researchers at MWR InfoSecurity have created a proof of concept for an attack that allows miscreants to record and stream conversations that take place within Alexa’s “hearing,” and send them to a remote computer. These would-be spies also can view an owner's Amazon credentials and authentication tokens, and steal sensitive information from apps on the device.
It’s a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering. The vulnerability exists in the exposed debug pads on the base of the device and a hardware configuration setting that allows the device to boot from an external SD card, the firm said, in an analysis.
Using an external SD card attached to the debug pads, they were able to boot into the actual firmware on the Echo, install a persistent implant, gain remote root shell access, and finally remotely snoop on the 'always listening' microphones.
“Once we had root we examined the processes running on the device and the scripts that spawn these processes,” the researchers explained. “We were able to understand how audio media is being passed and buffered between processes, and the tools that are used to create and interact with these audio buffers. Using the provided 'shmbuf_tool' application developed by Amazon, we created a script that would continuously write the raw microphone data into a named fifo pipe, which we then stream over TCP/IP to a remote service. On the remote device, we receive the raw microphone audio, sample the data and either save it as a .wav file or play it out of the speakers of the remote device.”
While the hack requires physical access to the Echo, it’s entirely possible that versions of the device from third-party sellers (including used devices) could be tampered with prior to delivery to the end user. The technique does not affect the functionality of the Amazon Echo, so users would be none the wiser.
Echo versions released in 2015 and last year are vulnerable, but Amazon has fixed the problem in the 2017 models. Users should check the date the product was made on the back of the box by the serial number. Other mitigations include muting the devices when not in use.
"To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date,” Amazon said in a press statement.