At first it doesn’t seem like much of a threat for a third party to hear you talking to your Amazon Echo’s virtual assistant, Alexa.
After all, saying “Alexa, order me an Uber” is already being shared with Uber, your credit card company and of course the Alexa app on your phone. Other requests are similarly mundane, such as requests for the time, the weather or a request for a knock-knock joke.
But broadcasting the word on other queries, such as the symptoms for a sexually transmitted disease or the number of a bankruptcy lawyer might be more sensitive, and not something you’d want to share. Fortunately, Amazon keeps such queries confidential and you can only see them using the Alexa app on your phone.
But suppose your virtual assistant did more than just listen for its action word, “Alexa” in the case of the Echo, or “Hey Siri” in the case of your iOS device. Suppose that your device was also transmitting every word you say to a remote location so it could be heard and recorded by a third party?relatedreading
A security researcher in the UK, Mark Barnes with MWR Labs, has just published the instructions for hacking an Amazon Echo. According to Barnes, the hack was “trivial” although it does require physical access to the device. What’s more important is that defeating the hack is easy, provided you know that your Echo has been tampered with.
But the fact is that it’s impossible to tell whether your echo has been compromised just by examining it. You’d need to look inside the Linux-based operating system of the device to see whether it has been rooted. This is not an easy task.
It’s also impossible to tell when you’re using the Echo whether it’s been compromised. The hack does not interfere with the normal functions of the device.
The hack works by gaining access to the sixteen debugging pads on the bottom of the Echo. Those pads, which are basically electrical connectors, are underneath the rubber cover on the bottom of the Echo. Peel that cover off and you can boot the Echo from an SD card as explained by researchers at The Citadel in South Carolina.
Once access to the debug pads is achieved, then it’s possible to boot the Echo from an SD card, and install a short script that contains instructions to listen to the microphones, and then send the resulting data file to a remote location.
The initial attempt to do this as a proof of concept took Barnes a couple of hours, and left the echo with wires hanging out everywhere, but he indicates that by creating a connector to fit the debug pads, the whole effort could be done in a few minutes.
At first, this might seem to be an unnecessary alarm. After all, your echo is safe at home or in your office, right? Well, perhaps it’s safe at home.
But think about who has access to your office. Perhaps the cleaning staff? Office assistants? Colleagues? Any of those could install the required software while you’re away.
But there’s a bigger threat, and that comes from Echo devices in public places and in hotel rooms. Marriott is already testing Echo devices to serve as electronic concierges, and has plans to install the devices in at least some of its hotel rooms.
The Wynn Las Vegas hotels are expected to have Echo devices in all of their rooms. Considering the number of staff that wanders in and out of hotel rooms in a normal day, from the housekeepers to the minibar fillers to the maintenance folks, there is no physical security for the device and you have to assume that it’s been compromised.
To keep a potentially compromised Echo from recording your conversation, you only need to press the mute button on the top of the device. Still worried? You can unplug it by pulling a small power connector out of the device when you don’t want it to hear what you’re saying.
However, you don’t need to worry about every Amazon Echo device. The Echo Dot doesn’t have those debugging pads, so there’s no way to load software using the hack that Barnes describes. Furthermore, this vulnerability has been removed from Echo devices made since the beginning of 2017.
But just because that vulnerability has been cleared, that’s no reason to think that your smart devices are safe. When Samsung came out with its voice-controlled smart televisions, the company was forced to include a warning that conversations that were heard in the vicinity of the television set may have been recorded.
Some smartphones have similar issues. For example, there’s malware for Android phones that can record conversations and that can use the phone’s camera to record whatever is visible in the phone’s vicinity. It’s not known yet whether other smart devices such as the Google Home and the upcoming Apple HomePod can be hacked. The Apple device is still in development after all.
But it’s safe to say that successful hacks against the new products will come. So it will depend on the steps that will be taken in the future to make sure the devices are robust enough to withstand a hacking attack, but there are no guarantees.
In the meantime, follow the advice of an Amazon spokesperson and buy your Echo from a reputable source and to apply all updates promptly. If you must travel with your Echo, use the smaller Echo Dot that doesn’t have those debugging pads so that strangers in your hotel room can’t install those malicious scripts. The first line of defense, after all, is to protect your device from tamperers.