A security researcher figured out a way to turn an Amazon Echo into a bugging device—but don’t give up on Alexa just yet.
Mark Barnes of British cybersecurity company MWR InfoSecurity described in a blog post how he took over an Amazon Echo without leaving physical evidence. The exploit gives an attacker remote access to the device, allowing them to steal customer authentication information and stream audio from its microphones to remote servers—essentially turning the Echo into a wiretap.
Barnes says the vulnerability is a result of two poor design choices: exposed “debug pads” (connections to internal hardware) under the rubber base of the device, and settings that allow the personal assistant to boot from an external SD card. As Wired points out, the connectors were likely used for testing and fixing bugs before the devices were sold. Now they can be used by baddies to hijack Echo’s microphones and stream data to a faraway server.
That should certainly trouble Amazon Echo owners, but it probably won’t have a direct impact on most users. That’s because the hack only works on Amazon Echo units sold between 2015 and 2016, and can only be carried out if someone has physical access to the device. This makes the vulnerability particularly effective on units installed in public areas or hotels.
Barnes wrote in detail how he gained control of the Echo. He spent hours soldering two connectors onto the metal pads so he could link his computer and SD card. He then wrote his own software to Echo, a simple script that took over its mic and streamed audio to a remote computer. Barnes says the hack could also be used to attack other parts of a network, install ransomware, or steal Amazon accounts.
While the tedious process of breaking into the Echo leaves plenty of physical evidence of tampering, Barnes says a few modifications allow an attacker to hide their tracks.
“You just peel off the little rubber base and you can access these pads straightaway,” Barnes said. “You could make a device that would push onto the base, that you wouldn’t have to solder on, and that wouldn’t leave any obvious signs of manipulation.”
Although this isn’t something that can be patched with a software update, Amazon fixed the vulnerability in newer Echo units. To check if your device is vulnerable, look on the original packaging and hope for a 2017 copyright and device model number ending “02.”
We have reached out to Amazon and will update this article when we hear back.
H/T Fortune