Turning an Amazon Echo into an Eavesdropping Device

For once, the real story isn’t as bad as it seems. A researcher has figured out how to install malware onto an Echo that causes it to stream audio back to a remote controller, but:

The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there’s no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.

The way to implement this attack is by intercepting the Echo before it arrives at the target location. But if you can do that, there are a lot of other things you can do. So while this is a vulnerability that needs to be fixed—and seems to have inadvertently been fixed—it’s not a cause for alarm.

Tags: , , , ,

Posted on August 10, 2017 at 1:54 PM11 Comments

Comments

firsttimeforeverything August 10, 2017 2:31 PM

Seems like this would be a pretty big concern for individuals that buy used electronics. I haven’t looked up how big the market is for a used Echo, but just Ebay has 311 results when I searched for “used amazon echo”. I’d be very worried someone could just purchase an Echo, install the malware, and then sell it at a discount used and spy/collect data that way. Like you said, this would just be one thing on a checklist of modifications one could do in this situation. Not a fan.

r August 10, 2017 5:40 PM

It was fixed because the NDA discovered it first and now all amazing devices are interdicted first.

Bong-Smoking Primitive Monkey-Brained Spook August 10, 2017 5:58 PM

@r,

It was fixed because the NDA discovered it first and now all amazing devices are interdicted first.

You again? NDA as in ‘New Data Available’, or a typo? I’m out of the interdiction business. Too stressful.

Pst, @RobertT: watch and learn.

Narcissus August 10, 2017 6:49 PM

“Turning” an Amazon Echo into an Eavesdropping Device?

Isn’t it already? What? Are you trying to tell me the aforementioned device is not already an eavesdropping device?

You didn’t get the BigBro84 update.

r August 10, 2017 7:56 PM

Fore the purpose of our conversation, let’s just blame it on either a) swype or b) tampering.

wazzat? improper formatting?? No semi colon???

c) plausible deniability.

Colin Frahm August 11, 2017 5:41 AM

This is possible on pretty much any Internet connected device. However, right after I started using an Amazon Dot at work I left it connected when I went home one night and found it playing music the next morning. Something like the cleaning crew or external noise made it activate. It is a good thing that someone when I was not there did not order 10,000 dog chews using my Dot.

parabarbarian August 11, 2017 9:00 AM

Considering the Echo (and Siri and whatever Google is calling its version) sends voice data back to the manufacturer’s “cloud” worrying over this application is a bit like straining at gnats while swallowing a camel. For heaven’s sake, it is an eavesdropping device by design and I expect it will be used for surveillance.

cattypist August 29, 2017 4:51 PM

The way to implement this attack is by intercepting the Echo before it arrives at the target location

Or by an ‘evil maid attack’ when the device is already in the target location?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.