A hack has been demonstrated on older Amazon Echo speakers by the researchers at MWR Labs that managed to turn the device into a spying tool, sitting right in your humble abode. The people who felt wary of the way Amazon speakers always listen in to your voice can now say they always knew something was up.
Amazon Echo is vulnerable to a physical attack that gives the hacker root shell access to the Linux operating system that runs on the Echo speaker, researchers say. The really freaky thing about this is that the malware could let the attacker 24/7 remote access to the device’s microphone as well as other things – all that without leaving a trace of evidence that would show the device has been physically tampered with.
But not only does this potential attack lets the actors hear everything being said at your home – it also allows the hacker to steal customer authentication tokens and have persistent remote access to the device. Researchers at the MWR Labs say that two design choices that Amazon made with the hardware of the speaker in question, exposed debug pads the Echo base and hardware configuration settings that allow booting from SD cards, are the reason of the hacking being possible.
This hack that makes your Amazon Echo speaker turn into a wiretap in your home was built on the foundations of previous work. Researchers found out how to boot into a generic Linux environment from an external SD card – that external SD card image is available on GitHub as well as the details of the debug pins. When you remove the rubber base of the speaker, researchers at MWR Labs say you can find 18 debug pads, with details on what all of those do being available online.
When the researchers made a connection to the exposed pads, they watched the device boot and glean details on the configuration of the device. With that being said, researchers did note that that during the boot sequence, said sequence cannot be interrupted and no shell or login prompt is offered. They also say that the MCU inside the speaker is a TI product, so it always tries to boot from an SD card that is connected to the exposed debug pads before it boots from the internal eMMC.
Once they rooted the speaker, researchers managed to interact with audio buffers and make the speaker into streaming the audio heard via TCP/IP to a remote server. They sampled the data and save it in a .wav file form or play it out of the speakers of the remote device. This tampering did not affect the usual functionality of the speakers. The team at MWR Labs says that this vulnerability has been confirmed on the 2015 and 2016 version of Echo speakers, with this year’s version being attack-proof.
Researchers have also said that hacking the device was trivial, although it did require physical access to the speakers.