Hacking the Amazon Echo
Researchers discover that the Amazon Echo can be hacked and used as a spying device.
At DEFCON last week, white hat hackers explained during a presentation that it is indeed possible to hack an Amazon Echo. Security researchers from Chinese conglomerate Tencent described the steps they took to turn a regular, working Echo into a spying device, completely through remote activation. And while this may sound like alarming news, it’s important to note that a key factor of the hack is that the interceptor must be on the same LAN.
To perform the hack, the researchers first had to prepare their hacking tool — a second Amazon Echo, which they had to modify by replacing parts and adding new pieces. Then, by connecting the modified digital assistant to the same LAN as the targeted Echo, they were able to communicate with it and surreptitiously make it begin recording sound and sending it to the modified Echo. Had they wanted, they could have done the reverse and pushed sounds from the modified Echo to play out of the targeted one.
Before giving their presentation, the researchers contacted Amazon to report the vulnerability, and the e-tail giant swiftly released a patch to resolve the flaw. The Amazon Echo updates automatically, so no action is required by owners for this fix. The company’s quick action to remedy the situation notwithstanding, the revelation pointedly voids their previous common dismissals that the Echo could be used for spying purposes.
“Everyone already knows that smart speakers are listening all the time in the event that they need to respond to our requests,” says Luis Corrons from Avast Threat Labs. “Just like any connected device, of course, it can eventually be hacked.” Corrons continues, “However, devices from reputable manufacturers that get automatic updates solving known security issues are not the devices that pose the risk. The larger issue this white-hat hack example points to is that any device is potentially hackable, and many people are not even aware that they even have a connected device. It is these lesser-known devices — the ones that have no automatic updates to address vulnerabilities — that pose a real risk for users.”
As the strange and wonderful world of IoT devices continues to grow in your home, Avast recommends:
- If you are thinking about buying an internet-connected device, ensure you buy the webcam, smart speaker, smart lights from a reputable manufacturer — a strong, recognized brand. While a lesser-known brand may be cheaper, the cost comes with a number of security issues that could be troublesome later. Do your research, ensure the vendor has a way to update and patch the connected devices.
- Get clear on how the devices are updated/patched. It may be automatic, or the app or service may prompt you to do it. Further, whatever the update mechanism, make sure you update the connected device as soon as you can.
- If you come across Google Home or Amazon Alexa in a public setting, like an AirBnB or hotel, simply unplug the device if you have concerns.
- And finally, use Avast Wi-Fi Inspector to make sure that you do not have security issues in your network. If there is a default or weak credential or a vulnerable device in your network, Wi-Fi inspector will alert you. To run the scan, open Avast Antivirus > Protection > Wi-Fi Inspector and click Network Scan. (Note: While Wi-Fi Inspector is enabled by default, it does not provide real-time protection. So any time you are concerned, you can enjoy peace of mind by performing network scans manually.)