Security researchers have found a way to crack your Amazon Echo and stream all of your audio remotely without your knowledge – but is it as bad as it sounds?
The Amazon Echo is a gloriously cool piece of tech; a voice-controlled smart speaker that can read you the news, tell you a joke, and even order you a pizza. It’s all thanks to the built-in Alexa digital assistant, which is becoming an increasingly common member of households across the UK.
But experts at MWR InfoSecurity say they have exposed a vulnerability in the Amazon Echo that turns it into a secret spying device – without affecting how it works in your home.
Below, you’ll find an explanation of how the hack works, whether you should be worried, how to stay safe, and how Amazon is helping to protect your personal information.
Amazon Echo Hack: What’s the vulnerability?
Unlike more dangerous hacks, this exploit can’t be capitalised on remotely. This means that although someone could listen to your conversations from afar, they need to first have physical contact with your device – and enough time to tamper with it, too.
To exploit the vulnerability, a rogue party would need to remove the rubber base on the bottom of your Echo and access the debug pads. This would allow them to directly boot into the device’s firmware and use an SD card to install malware. There wouldn’t be any physical evidence of the access, and functionality would remain the same.
Importantly, by doing this, the hacker would be able to access your “always listening” microphones, and effectively own a constant stream of audio from your home indefinitely.
“The rooting of the Amazon Echo device in itself was trivial; however, it raises a number of important questions for manufacturers of internet-enabled or ‘smart home’ devices,” said Mark Barnes, a security consultant at MWR InfoSecurity.
Barnes continued: “The biggest limitation of this vulnerability is the need for physical access to the device itself, but it shouldn’t be taken for granted that consumers won’t expose the devices to uncontrolled environments that places their security and privacy at risk.”
According to the researchers, the vulnerability only affects the 2015 and 2016 versions of the device, but 2017 models are protected from such an attack. It’s also worth noting that the Amazon Echo Dot (pictured below) is also safe from this attack.
Related: Apple HomePod vs Amazon Echo
Is it as bad as it sounds? And how can you stay safe?
It sounds pretty scary, but it’s quite a tricky exploit to take advantage of. It would involve a hacker finding their way into your home and tampering with your device – and would only work if you have one of the specific vulnerable models.
It’s near-impossible for someone to stream your audio without your knowledge or permission as long as you:
- Buy your device from Amazon, or a trusted retailer
- Don’t relinquish possession of your device
- Keep your software up-to-date
For your own safety, consult this list of approved retailers where you can buy Amazon devices in the UK safely:
Click here for a list of approved Amazon Device retailers
To stay safe, we’d recommend not leaving your Echo alone with people you don’t trust, and installing all software updates as they go live.
The good news is that this hack is arguably more difficult than simply concealing some kind of audio bug in someone’s home. So although this would certainly be more useful to hackers than a bug, it’s unlikely you’ll ever be affected by this.
In a statement sent to Trusted Reviews, an Amazon spokesperson said: “Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”
Amazon Echo Security: How is Amazon keeping you safe?
It’s worth noting that Amazon has gone to great lengths to ensure that the Amazon Echo has decent security.
For a start, there’s a button on the top of the speaker that lets you turn the microphone off. Once you hit it, a red light will come on to signify that your microphones are off. This button is connected to the microphone with analogue electronics, so when the red light is on, it’s a guarantee that the mics are electrically disconnected.
Also, even though the Amazon Echo is always listening, it’s not always streaming your conversations to the cloud. The Echo uses on-device keyword spotting to detect the wake word – that’s “Alexa” – and will only stream your phrases to the cloud when that wake word is detected – as signified by the blue light ring.
None of your utterances are stored on the device either; instead, they’re held securely in the cloud. You can see every single utterance associated with your account in your Alexa settings, and it’s also possible to either delete individual utterances or wipe the whole lot in one go.
Related: Google Home vs Amazon Echo
Let us know what you think of the Amazon Echo on Facebook or Twitter.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
