A new hack can turn an Echo into a live microphone

Hackers have figured out how to turn an Amazon Echo into a live microphone. First reported by Wired, the attack requires physical access to the device, is limited to pre-2017 Echoes, and would be difficult to deploy at scale. But when successful, it would allow hackers to pull a live feed of all audio within range of the device, even if the wake word hasn’t been said. The method could also allow hackers to remotely retrieve authentication tokens and other sensitive data from the device.

Researcher Mark Barnes laid out the attack in a blog post earlier today. In simple terms, Barnes’ method compromises the device by booting from an inserted SD card — similar to a LiveCD — and uses that access to rewrite the Echo’s firmware. Once the firmware is rewritten, the hacked Echo can send all audio captured by the microphone to a third party, remaining compromised even after the SD card is removed.

“Customer trust is very important to us,” Amazon said in a statement. “To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”

Barnes’ attack only works on the 2015 and 2016 versions of the Echo. The 2017 model makes an internal hardware change that prevents an SD card from operating as an SPI peripheral, a crucial element of the hack. Without moving into SPI mode, the Echo can’t boot directly from the SD card, leaving no way to execute the attack.

While that hardware fix effectively blocks the attack, the nature of the firmware assault makes it very difficult to stop the attack at a software level. Any security patches or other software protections deployed by Amazon would simply be rewritten along with the original firmware. As a result, Echo devices made in 2015 and 2016 are likely to remain vulnerable to the attack indefinitely. Analysts estimate more than 7 million Echo devices were purchased during those years.

“[The attack] does require physical access, which is a major limitation,” Barnes writes in his post. “However, product developers should not take it for granted that their customers won't expose their devices to uncontrolled environments such as hotel rooms.”


Does this affect the Echo Dot unit?

Barnes’ attack only works on the 2015 and 2016 versions of the Echo

Dot wasn’t around in 2015-16

The 1st gen Echo Dot came out in March 2016 and the 2nd gen Echo Dot arrived in October 2016, but his question is still effectively answered with the text you quote.

Yeah it was, my brother has had one since early 2016.

Honestly this hack is so involved that it’d literally be easier just to put an off the shelf bug into something else in your house. We’re talking about taking apart the Echo and soldering in pins to compromise it’s firmware, which means they not only need access to your home but long enough time to actually do such an involved hack. Why bother with this nonsense if they can just go in and drop off a different bug that’s already functional, heck they could even put it inside your echo and just mic it by the existing mic holes.

I think the quote from Amazon is the only piece of this article that points out how this hack could be an issue for a consumer. If you buy an Echo from a 3rd party it could be an earlier generation that’s been hacked to act as a live mic. It’s extremely unlikely that someone is going to come into your house and hack your existing Echo, but new or used equipment purchased from a third party could conceivably be problematic.

So this is mostly a big nothing burger

View All Comments
Back to top ↑