Skip to main content

Hackers Expose Scary Amazon Echo Vulnerability

Security researchers Wu Huiyu and Qian Wenxiang have discovered a terrifying way to turn an Amazon Echo into a spy bug. 

The researchers demonstrated their method onstage at the Def Con hacking conference on Sunday. To orchestrate the attack, they took apart an Echo, removed the flash chip from its motherboard, loaded it with custom spyware, and then re-attached the chip.

Credit: Shaun Lucas/Tom's Guide

(Image credit: Shaun Lucas/Tom's Guide)

The firmware is then able to find and link up to a targeted Amazon account using "cross-site scripting, URL redirection, and HTTPS downgrade attacks," according to Wired, which first reported the news. 

The device can also then access other Echo devices on its same network.

MORE: How To Delete Recordings From Your Alexa History

The doctored device can take advantage of Whole Home Audio Daemon, the software component that allows Echos on the same network to talk to each other, to gain full control over a targeted speaker. This means you could do anything from playing creepy music and calling Ubers for people to seizing control of their microphone and secretly recording audio.

There are some limitations to this attack: It requires that hackers have access to a device's hardware, and that they have the target's Wi-Fi password. But the researchers told Wired that such an attack could still work in public places, like hotel rooms or schools, with public passwords. 

The hackers have informed Amazon of the vulnerability, which the company told Wired it has already patched. 

More on Alexa

  • Brad_53
    Requires physical access to accomplish? OoooOOoooo so scary.
    Reply
  • jsmithepa
    21228758 said:
    Requires physical access to accomplish? OoooOOoooo so scary.
    Perfect for the crazy Ex.
    Reply
  • aquielisunari
    21227818 said:
    Security researchers have discovered a way to turn an Amazon Echo into a spy bug.

    Hackers Expose Scary Amazon Echo Vulnerability : Read more

    So first they need psychic abilities to know I have an Echo. They then need to hack my home's security and compromise the manual locks. By this point and time the Echo should be the least of my worries.

    In short if you have a hacker friend you need to be scared, very very scared.

    Danny Ocean however could have a field day at the manufacturing plant and use the exploited Echo's to make some withdrawals.

    Hackers as young as 5 or 6 can do so much. By the age of ten they can hack voting booths and skew the results. This cat and mouse game just keeps going and going and going and going and going...
    Reply
  • USAFRet
    My Amazon Echo is right were it needs to be. On the shelf in some random warehouse, right next to the Google Dot.
    Reply
  • nobspls
    "So first they need psychic abilities to know I have an Echo. They then need to hack my home's security and compromise the manual locks. ...."

    Go on and bury your head in the sand a little deeper. It will feel better. They just need to trick you into accepting a compromised Amazon delivery, starting from the Amazon warehouse. You know how many poorly treated workers there would do this for a bribe or two? This is would be cake to do, especially considering state actors like China and Russia, LOL. Heck even the NSA might be in on it too.
    Reply
  • aquielisunari
    21232197 said:
    "So first they need psychic abilities to know I have an Echo. They then need to hack my home's security and compromise the manual locks. ...."

    Go on and bury your head in the sand a little deeper. It will feel better. They just need to trick you into accepting a compromised Amazon delivery, starting from the Amazon warehouse. You know how many poorly treated workers there would do this for a bribe or two? This is would be cake to do, especially considering state actors like China and Russia, LOL. Heck even the NSA might be in on it too.

    Who is they? Why an Amazon delivery? I haven't shopped there in years. Your scenario is implausible.

    Reply