The Amazon Echo can be turned into a spying tool by exploiting a physical security vulnerability, according to Mark Barnes, a researcher at cybersecurity firm MWR InfoSecurity. His research shows how it's possible to hack the 2015 and 2016 models of the smart speaker to listen in on users without any indication that they've been compromised.
The issue is unfixable via a software update, meaning millions of Echos sold in 2015 and 2016 will likely have this vulnerability through the end of their use.
Barnes executed the attack by removing the bottom of the smart speaker and exposing 18 "debug" pads, which he used to boot directly into the firmware with an external SD card. Once the hack is complete, the rubber base can be reattached, leaving behind no evidence of tampering.
With the malware installed, Barnes could remotely monitor the Echo's "always listening" microphone, which is constantly paying attention for a "wake word." (The most popular of these is "Alexa.") Barnes took advantage of the same audio file that the device creates to wait for those keywords.
"I'm listening to that same file. I'm effectively listening the same way that processor is listening for a keyword," he told me in a phone interview.
It's important to note that Amazon Echo speakers come with a mute button, which turns off the microphone completely. Hitting the button would prevent hackers from being able to listen in on a compromised Echo. It would also prevent the normal use of the device until it is unmuted.
The vulnerability also only affects 2015 and 2016 Amazon Echo models. Neither the 2017 model, nor the smaller Amazon Dot are vulnerable to the hack. Barnes partially based his exploit on previous research from researchers at The Military College of South Carolina that was released over a year ago. Amazon has fixed the hardware vulnerability in its latest smart speakers—the company revised the main board to prevent booting from the SD card in the new devices, Barnes said.
Still, as Business Insider reported in 2016, market research site Statista estimated that more than seven million Echo devices were sold in 2015 and 2016, meaning that millions of speakers vulnerable to the attack are still in people's homes (Amazon has never released exact Echo sales figures publicly). It's not possible to remotely patch the speakers via a software update, because the hack exploits a hardware vulnerability.
"The problem is it's a hardware issue," Barnes said. "It has to be fixed in the hardware."
Since the attack requires physical access and sophisticated knowledge of embedded systems, there's very little chance it could be exploited on a large scale.
But there are two possible scenarios that could be used to target either random or specific individuals, depending on the method of attack.
Barnes told me that a small device could be built and perhaps sold on the black market with the capability to quickly hack into an Echo, so long as the hacker had physical access to the device. "You would require some technical level to achieve what I did but it's not outside the realm of possibility that someone could design a device to do this," Barnes told me.
Alternatively, someone could pre-hack Echos and then sell them on the secondary market as used machines while retaining the ability to listen in. Reached by Motherboard, Amazon suggested that people not buy Echos on the secondary market.
"Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date," an Amazon spokesperson said in a statement to Motherboard.
While the attack Barnes executed is not of concern to most Amazon Echo owners, it's a great example of the frightening vulnerabilities present in the smart devices we welcome into our private homes.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.