The conspiracy theorists may be right this time: Cybercriminals could use the Amazon Echo to spy on them. A British security researcher demonstrated how he — or anyone — could install malware on an older Echo device (sold before 2017) to stream audio from the hacked device to his remote server. The data security flaw has been addressed in more recent versions of the Amazon Echo, Amazon told Wired in a news report.
While hacking the Echo was relatively simple, it did require the researcher — one Mark Barnes of U.K.-based MWR Labs — to have physical access to the device at some point, so customers using the Echo at home probably don’t need to worry.
However, as an increasing number of hotels and offices deploy the Echo as a tool for convenience, the issue does raise some cybersecurity concerns. Installing the wiretap could be done without leaving a single trace, and there is no software fix to prevent a cyberattack within the code of the older Echoes.
Barnes gained access to the Echo’s inner workings by peeling off the rubber bottom and soldering in connections of his own — one to his computer, the other to an SD card containing a “bootloader” that told the device to boot its own operating system without running the standard authentication measures.
Once a hacker gains access to the inner workings of an Echo, he could use it to attack other parts of the network, said Barnes — stealing access to the owner’s Amazon account, installing ransomware or a slew of other nefarious cybercriminal activities.
Amazon said that customers should always buy devices directly from Amazon or a trusted retailer, because devices sold by a secondhand seller could be compromised by a hacker. The company also urges user to keep their software up to date to protect against cyber attacks and known data security flaws, although this particular wiretap flaw stems from a hardware vulnerability and could not be remedied by a software patch.
Barnes offered a simpler cybersecurity solution: If you’re in a hotel room with an Echo that isn’t yours, you’re better safe than sorry: “Just turn it off.”