Turning an Amazon Echo into an Eavesdropping Device

For once, the real story isn't as bad as it seems. A researcher has figured out how to install malware onto an Echo that causes it to stream audio back to a remote controller, but:

The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.

The way to implement this attack is by intercepting the Echo before it arrives at the target location. But if you can do that, there are a lot of other things you can do. So while this is a vulnerability that needs to be fixed -- and seems to have inadvertently been fixed -- it's not a cause for alarm.

Posted on August 10, 2017 at 1:54 PM • 10 Comments


firsttimeforeverythingAugust 10, 2017 2:31 PM

Seems like this would be a pretty big concern for individuals that buy used electronics. I haven't looked up how big the market is for a used Echo, but just Ebay has 311 results when I searched for "used amazon echo". I'd be very worried someone could just purchase an Echo, install the malware, and then sell it at a discount used and spy/collect data that way. Like you said, this would just be one thing on a checklist of modifications one could do in this situation. Not a fan.

rAugust 10, 2017 5:40 PM

It was fixed because the NDA discovered it first and now all amazing devices are interdicted first.

Bong-Smoking Primitive Monkey-Brained SpookAugust 10, 2017 5:58 PM


It was fixed because the NDA discovered it first and now all amazing devices are interdicted first.

You again? NDA as in 'New Data Available', or a typo? I'm out of the interdiction business. Too stressful.

Pst, @RobertT: watch and learn.

NarcissusAugust 10, 2017 6:49 PM

"Turning" an Amazon Echo into an Eavesdropping Device?

Isn't it already? What? Are you trying to tell me the aforementioned device is not already an eavesdropping device?

You didn't get the BigBro84 update.

rAugust 10, 2017 7:56 PM

Fore the purpose of our conversation, let's just blame it on either a) swype or b) tampering.

wazzat? improper formatting?? No semi colon???

c) plausible deniability.

Colin FrahmAugust 11, 2017 5:41 AM

This is possible on pretty much any Internet connected device. However, right after I started using an Amazon Dot at work I left it connected when I went home one night and found it playing music the next morning. Something like the cleaning crew or external noise made it activate. It is a good thing that someone when I was not there did not order 10,000 dog chews using my Dot.

parabarbarianAugust 11, 2017 9:00 AM

Considering the Echo (and Siri and whatever Google is calling its version) sends voice data back to the manufacturer's "cloud" worrying over this application is a bit like straining at gnats while swallowing a camel. For heaven's sake, it is an eavesdropping device by design and I expect it will be used for surveillance.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.