At first it doesn’t seem like much of a threat for a third party to hear you talking to your Amazon Echo’s virtual assistant, Alexa.
After all, saying “Alexa, order me an Uber” is already being shared with Uber, your credit card company and of course the Alexa app on your phone. Other requests are similarly mundane, such as requests for the time, the weather or a request for a knock-knock joke.
But broadcasting the word on other queries, such as the symptoms for a sexually transmitted disease or the number of a bankruptcy lawyer might be more sensitive, and not something you’d want to share. Fortunately, Amazon keeps such queries confidential and you can only see them using the Alexa app on your phone.
But suppose your virtual assistant did more than just listen for its action word, “Alexa” in the case of the Echo, or “Hey Siri” in the case of your iOS device. Suppose that your device was also transmitting every word you say to a remote location so it could be heard and recorded by a third party?relatedreading
A security researcher in the UK, Mark Barnes with MWR Labs, has just published the instructions for hacking an Amazon Echo. According to Barnes, the hack was “trivial” although it does require physical access to the device. What’s more important is that defeating the hack is easy, provided you know that your Echo has been tampered with.
But the fact is that it’s impossible to tell whether your echo has been compromised just by examining it. You’d need to look inside the Linux-based operating system of the device to see whether it has been rooted. This is not an easy task.
It’s also impossible to tell when you’re using the Echo whether it’s been compromised. The hack does not interfere with the normal functions of the device.
The hack works by gaining access to the sixteen debugging pads on the bottom of the Echo. Those pads, which are basically electrical connectors, are underneath the rubber cover on the bottom of the Echo. Peel that cover off and you can boot the Echo from an SD card as explained by researchers at The Citadel in South Carolina.
Once access to the debug pads is achieved, then it’s possible to boot the Echo from an SD card, and install a short script that contains instructions to listen to the microphones, and then send the resulting data file to a remote location.
The initial attempt to do this as a proof of concept took Barnes a couple of hours, and left the echo with wires hanging out everywhere, but he indicates that by creating a connector to fit the debug pads, the whole effort could be done in a few minutes.
At first, this might seem to be an unnecessary alarm. After all, your echo is safe at home or in your office, right? Well, perhaps it’s safe at home.