- Viral video shows an egg getting a hot makeover Tuesday 7:56 PM
- New Netflix feature broadcasts what you’re watching via Instagram Tuesday 6:11 PM
- Videos show alleged Covington teens harassing women, making rape jokes at march Tuesday 4:13 PM
- MAGA teen gets ‘Today Show’ interview—and people are pissed Tuesday 3:38 PM
- Family says hacker sent fake North Korean missile warning through Nest camera Tuesday 2:42 PM
- This Arizona bill would tax internet porn to fund a border wall Tuesday 2:41 PM
- This meme is asking people how they draw the letter X Tuesday 1:18 PM
- Charlie Kirk’s love of U.S. healthcare system put to the test after back problems Tuesday 1:12 PM
- Fyre Fest caterer who was left broke has received $160,000 in donations Tuesday 12:58 PM
- The YouTuber who taught a dog to give the Nazi salute on command can’t find a job Tuesday 12:24 PM
- The ‘oh yeah yeah’ meme is flooding YouTube—and KSI can’t deal Tuesday 12:20 PM
- Did this d*ck-drawing Instagram star steal her gag from a rival runner? Tuesday 12:00 PM
- Rep. Steve King, best known for his racism, tweets a fake MLK quote Tuesday 11:54 AM
- Facebook is helping husbands ‘brainwash’ their wives with targeted ads Tuesday 11:35 AM
- Twitch streamer Pink_Sparkles responds to gamers who don’t think she belongs Tuesday 11:29 AM
Photo via Zapp2Photo/Shutterstock (Licensed)
Units purchased in 2015 and 2016 are vulnerable to the hack.
A security researcher figured out a way to turn an Amazon Echo into a bugging device—but don’t give up on Alexa just yet.
Mark Barnes of British cybersecurity company MWR InfoSecurity described in a blog post how he took over an Amazon Echo without leaving physical evidence. The exploit gives an attacker remote access to the device, allowing them to steal customer authentication information and stream audio from its microphones to remote servers—essentially turning the Echo into a wiretap.
Barnes says the vulnerability is a result of two poor design choices: exposed “debug pads” (connections to internal hardware) under the rubber base of the device, and settings that allow the personal assistant to boot from an external SD card. As Wired points out, the connectors were likely used for testing and fixing bugs before the devices were sold. Now they can be used by baddies to hijack Echo’s microphones and stream data to a faraway server.
That should certainly trouble Amazon Echo owners, but it probably won’t have a direct impact on most users. That’s because the hack only works on Amazon Echo units sold between 2015 and 2016, and can only be carried out if someone has physical access to the device. This makes the vulnerability particularly effective on units installed in public areas or hotels.
Barnes wrote in detail how he gained control of the Echo. He spent hours soldering two connectors onto the metal pads so he could link his computer and SD card. He then wrote his own software to Echo, a simple script that took over its mic and streamed audio to a remote computer. Barnes says the hack could also be used to attack other parts of a network, install ransomware, or steal Amazon accounts.
While the tedious process of breaking into the Echo leaves plenty of physical evidence of tampering, Barnes says a few modifications allow an attacker to hide their tracks.
“You just peel off the little rubber base and you can access these pads straightaway,” Barnes said. “You could make a device that would push onto the base, that you wouldn’t have to solder on, and that wouldn’t leave any obvious signs of manipulation.”
Although this isn’t something that can be patched with a software update, Amazon fixed the vulnerability in newer Echo units. To check if your device is vulnerable, look on the original packaging and hope for a 2017 copyright and device model number ending “02.”
We have reached out to Amazon and will update this article when we hear back.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.