back to article Hackers manage – just – to turn Amazon Echoes into snooping devices

Hackers have managed to hack Amazon's Echo digital assistant and effectively turn it into a listening device, albeit through a complex and hard-to-reproduce approach. Talking at the DEF CON hacking conference in Las Vegas, two Chinese security researchers working for Tencent, outlined how they had used a specially modified …

  1. Anonymous Coward
    Anonymous Coward

    remove a Flash chip on their modified Echo

    Why not just insert an actual bugging device inside the device?

    1. RogerT

      Exactly my thought.

      1. vir

        The vulnerability here isn't that a modified Echo could be used to spy on you if it could somehow be infiltrated into your home; it's that a modified Echo could be used to eavesdrop on other completely stock devices in your home as long as it could get on the same network. Given the security state and broadcast area of most home networks, I'd say that it was a more significant vulnerability than the article let on.

        Reason #344 not to get an Echo.

        1. Anonymous Coward
          Anonymous Coward

          IoT-Hell: Amazon Echo comes to HOTELS - Anyone for Marriott?

          'if it could somehow be infiltrated into your home'

          If it can't be home hacked how about a hotel room:

          1. Wensleydale Cheese

            Re: IoT-Hell: Amazon Echo comes to HOTELS - Anyone for Marriott?

            "If it can't be home hacked how about a hotel room:"

            The term "Evil Maid" comes into its own in that context.

            And if it only takes 15 minutes to knobble an existing device, we probably need to look at the problem of "Evil Guest" leaving a permanent hook into the hotel's system.

    2. PeeKay

      Why not just

      1. Flash the firmware you want to use "Over the Air" (as Amazon already do)

      2. Reboot Alexa

      3. Profit

      You'd then have your insert point to the rest of the network/Alexa's.

    3. Prst. V.Jeltz Silver badge

      Why not just insert an actual bugging device inside the device?

      Why not forget the Amazon gizmo and just insert standard bug? what I though till I read on, seems once the custom Echo is on the network it can turn all the other echos into bugs . Thats the difference .

      That might mean you dont even have to enter the property if the wifi pokes out a bit.

      Or if its a big corp network you could harvest a huge number of devices over god knows how far geographically*

      * im guessing , as its a home iot ting , it might not cross subnets

  2. Vector

    It's just a matter of time...

    That is all.

  3. GIRZiM

    Correct me if I'm wrong but

    the thing about the Echo (and similar devices) is that they already are listening devices with custom hardware, firmware and access to your Wi-Fi, no?

    1. Prst. V.Jeltz Silver badge

      Re: Correct me if I'm wrong but

      yeah but so far all the tinfoil hat paranoid conspiracy types have just been freaking out that jeff bezos knows what kind of wine they put on the shopping list.

      Now it seems anybody could be listening

      1. GIRZiM

        Re: Correct me if I'm wrong but

        Well, to be fair, Bezos probably had no idea what kind of wine you were drinking, but, on the other hand, the various deepcover criminals working in the right parts of Amazon, or working for various of Amazon's 'Trusted Partners' (who have less security and are easier to extract data from), probably know a lot more than that about you - and what can be done with the seemingly innocuous data from your online searches (never mind the knowledge of what time you go to work and get home) is pretty damn scary ( know because I've done that kind of data analysis myself).

        But anyone upset by the idea that more than Amazon could gain access to their data hasn't been paying attention and really has no complaint to make: it was always a Trojan horse gate for the horses that we'll put in the wall here - don't worry about anyone else getting in through it, we only hand copies of the keys to these other people and they're totally trustworthy (they crossed their hearts and swore they wouldn't lose them or give them to anyone else)..

  4. G Mac

    Hmm 'permanently'...

    "What isn't clear is whether Amazon is capable of overriding its system to listen in permanently, rather than require it to wait for the "wake word" before listening, and so act as a live bug (the device holds a two-second audio buffer)."

    I think it is a bit slippery to say that the device is NOT listening permanently. Obviously it has to 'listen' to recognise the 'wake word'; the hope here being that that two second audio buffer is not released upstream regardless of the trigger word presence, which I believe was the point here.

    1. Yet Another Anonymous coward Silver badge

      Re: Hmm 'permanently'...

      Presumably they could make the wake word NULL, once it is "woke" it sends everything back to the cloud for recognition

    2. Velv
      Big Brother

      Re: Hmm 'permanently'...

      rather than require it to listen for the "wake word" before listening

      Fixed it for you!

  5. Anonymous Coward
    Anonymous Coward

    'Amazon is capable ... to listen in permanently'

    I believe this is a certainty.... For example in the UK....

    Govt & GCHQ have said they intend to exploit IoT!

  6. Anonymous Coward
    Anonymous Coward

    Whichever you look at this, we're entering....

    A Golden age of Spying / Surveillance / Espionage

    At a Sovereign / Commercial and Consumer level

    Sold as a UX to users, but all about something else...

    1. Anonymous Coward
      Anonymous Coward

      Re: Whichever you look at this, we're entering....

      Which is why NONE of this shit is ever coming into my home.

      My so called Smart TV is never connected to the Internet.

      All Social Media plus 90% of google sites are blocked at my firewall.

      And the only network connections are wired. No WiFi. Turned off at the Router. Wouldn't work very well as the walls are foil lined (Insulation material)

      Welcome to the world on a modern day refusenik.

  7. EveryTime

    Presumably they needed to remove, reprogram, and re-install the flash chip so that they could access the private key in that specific device's CPU or TPM. (Probably a TrustZone 'enclave'.) Without the key stored in the original CPU, the device wouldn't be recognized as a valid Echo and wouldn't be given the ability to control nearby devices.

    This is a illustrative hack -- it shows that the device is pretty well locked down, and not (easily) remotely vulnerable. But the difficult problem of unbroken chain of trust remains. In this case they trusted "already installed" software.

  8. Wellyboot Silver badge
    Big Brother

    targeted by FBI?

    >>if you are the sort of person that is likely to be directly targeted by an FBI investigation<<

    So basically, given the FBIs (known) history, that's anyone breathing?

    "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him" - Cardinal Richelieu.

  9. Charlie Clark Silver badge


    …companies are considering placing it in increasingly public spaces like schools and hotels…

    Well, at least in Europe the question of liability in the case of a breach has already been clarified. As, indeed, has the need to get permission before Amazon (or any other crooks) can listen in.

  10. Aodhhan


    We were hoping it would take some time before people figure this out.

    Now we have to get good at bypassing home physical security systems again.


  11. usariocalve

    Instead of re-flashing an echo, why not pre-hack an echo and plug it in?

    Anyway, the vuln has been fixed.

    Amazon's eating its own dog food when it comes to managing the Alexa ecosystem, so if you want a place to start take a look at amazon's IoT infrastructure; it's pretty tight. You'll have more success ripping the client cert off of an echo and using it to abuse the system, at least until the cert is revoked. The big weakness right now is that there's no way to prevent someone from -attempting- to connect - a revoked cert will still eat resources at some level.

  12. Drew Scriver

    Hotels and... college campuses?

    As troubling as it would be to have someone place rogue units in a hotel room and potentially access units in other rooms this way, what about college dorms?

    The students tend to be on the same WiFi network, which was a requirement for this hack. I can imagine students either hacking a unit themselves, or falling for an ad for a free (used and hacked) unit somewhere.

    Life is getting more and more complicated. If I were to encounter a digital assistant in my hotel room I would either unplug it or call the front desk to have it removed. College dorms are more problematic, especially since dorm rooms in the USA are generally shared with other students. What if your roommate insists on having these spy gadgets in the room?

  13. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    Do Amazon sell backdoors for Echo to Nation States? Hard to imagine Google not selling such services for their HomeSpy™

  14. Marty McFly Silver badge

    Uhhh, no....

    >" But then, if you are the sort of person that is likely to be directly targeted by an FBI investigation then presumably you've considered that the extra utility gained from an Amazon Echo may not be worth the risk of having a potential bug in your home or office."

    This presumes the government is trustworthy and would never go on a fishing expedition to support their preconceived notions about a "suspect's" guilt.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like