A vulnerability in older Amazon Echo devices can be used to make the home assistant relay conversations to eavesdroppers while the owner remains none the wiser.
Research by MWR InfoSecurity found it's possible to turn an Amazon Echo into a covert listening device without affecting its overall functionality. One big limiting factor: the process does involve the attacker being able to gain access to the physical unit, but it's possible to tamper with the Echo without leaving any evidence.
The vulnerability comes as a result of two design choices: exposed debug pads on the base of the device and a hardware configuration setting which allows the device to boot from an external SD card. By exploiting these two features, the attacker can access the root shell on the Linux operating system and perform the attack.
By removing the rubber base of the Amazon Echo, researchers gained access to 18 debug pads which can be used to directly boot into the firmware of the device via an external SD card and install malware, enabling access to the root shell and giving researchers the ability to access the 'always listening' microphones.
"If you're an attacker, you could build a device, place it onto that pad, give it a minute or so then remove it and you'll have the capability to gain access to the entire operating system running at the highest privileged user you can be at this level," Mark Barnes, security consultant at MWR InfoSecurity, told ZDNet.
All of this can be done without leaving any physical evidence, as the rubber base of the device can be reattached after the process is complete.
Researchers were able to examine how audio media was processed on the device, and then developed scripts that leveraged functions that let the stream audio to a remote server -- all without impacting its functionality.
The eavesdropped audio could then be played back on a remote device, allowing researchers to listen in to conversations that took place in front of the attacked Echo.
Barnes described how he was able to compromise the device: "First of all, I go about installing a remote shell, giving me the command line of the device over to my computer, so it's as if I'm on the computer inside the Echo itself as the boot user," he said.
"Then I worked out how the audio worked in the system, hooked myself in. Then I could keep listening to the audio -- that could then be sent through to the network and I could listen in through the microphone without the user being aware," Barnes added.
Both the 2015 and 2016 versions of Amazon Echo have been confirmed to be vulnerable to this exploit. The 2017 version and the smaller Amazon Dot can't be attacked in this way, however.
While the physical effort involved in carrying out this attack means that it's very unlikely that hackers could compromise an Echo in such a manner -- especially when so many other Internet of Things devices with listening capabilities can be remotely attacked. However, IoT devices like this are becoming more and more common in the home and workplace.
Another feature which limits the impact of the hack is that all Amazon Echos come with a mute button which can turn off the microphone: anyone concerned about being snooped on can simply turn it off, and their conversations won't be able to be heard by the device or anyone who could potentially be listening in.
It's also possible to avoid much of the risk by ensuring any device purchased is bought brand new and from a trusted seller, which avoids the possibility of a previous owner having potentially tampered with the device. Users should also avoid lending out the device and ensure the software is kept up to date.
"Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date," an Amazon spokesperson told ZDNet.
The research illustrates how organisations looking to install Internet of Things devices should ensure they have an appropriate security policy that takes into account any potential new risks.
"The key takeaway is about ensuring that if you're producing a product that it has adequate security assessments and also if you're planning on buying things and bringing them into your business, you want them in a secure, trusted location," said Barnes.