Skip to main content

Hackers Turn Amazon Echo Into Spying Device

You can secretly turn an Amazon Echo smart speaker into a listening device, according to hardware hacker Mark Barnes of MWR Labs in England.

Credit: amedley/Shutterstock

(Image credit: amedley/Shutterstock)

In a blog posting yesterday (Aug. 1), Barnes detailed how you can pry the bottom off an Echo and connect to a debugging plate — an electronic interface for programmers and repairmen — that lets you attach an SD card. From the SD card, the Echo can be booted up, and new functions can be added to the firmware.

In this instance, the MWR team added a script that streamed microphone audio over the internet to a remote device, such as a smartphone or laptop. The Echo and its Alexa voice assistant had been turned into a bug in the old Cold War, James Bond sense of the word.

MORE: Best Smart Home Hubs

Once their diabolical deed was done, the MWR team disconnected their wires, put the Echo back together and turned it back on again. The spying feature remained as a permanent, hidden function of the firmware. An unsuspecting Echo user would never have any idea that he or she was being eavesdropped upon.

You and I couldn't do what the MWR team did without a lot of practice. The photo MWR posted of their test unit looks like wire spaghetti. But it would certainly be possible to create a custom hardware interface that matched up with the Echo's debugging plate, making the hijacking process swifter and cleaner.

This is what we do on weekends. Credit: MWR Labs

(Image credit: This is what we do on weekends. Credit: MWR Labs)

So what, you ask? Anything can be hacked if you have physical access to the device.

That's true. But as independent security blogger Graham Cluley pointed out, a jealous husband could rig Echo to spy on his spouse. Corporate spies could do the same in enterprise environments.

MWR's hack works only on Echo models from 2015 and 2016 — the model number on the box will end in "01". Amazon got wise to the debugging-plate access after it was initially discovered late last year, and moved some of the connection points to other places in the device for the 2017 edition, with a model number ending in "02".

Cluley added that since December, the Wynn hotel in Las Vegas has been putting an Amazon Echo in every room. Last week, thousands of hackers were in Sin City for the annual Black Hat, DEF CON and BSides LV security conferences. Wynn guests might soon find out that what happens in Vegas doesn't always stay in Vegas.


Paul Wagenseil
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.