Security researchers Wu Huiyu and Qian Wenxiang have discovered a terrifying way to turn an Amazon Echo into a spy bug.
The researchers demonstrated their method onstage at the Def Con hacking conference on Sunday. To orchestrate the attack, they took apart an Echo, removed the flash chip from its motherboard, loaded it with custom spyware, and then re-attached the chip.
The firmware is then able to find and link up to a targeted Amazon account using "cross-site scripting, URL redirection, and HTTPS downgrade attacks," according to Wired, which first reported the news.
The device can also then access other Echo devices on its same network.
The doctored device can take advantage of Whole Home Audio Daemon, the software component that allows Echos on the same network to talk to each other, to gain full control over a targeted speaker. This means you could do anything from playing creepy music and calling Ubers for people to seizing control of their microphone and secretly recording audio.
There are some limitations to this attack: It requires that hackers have access to a device's hardware, and that they have the target's Wi-Fi password. But the researchers told Wired that such an attack could still work in public places, like hotel rooms or schools, with public passwords.
The hackers have informed Amazon of the vulnerability, which the company told Wired it has already patched.
More on Alexa
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Monica Chin is a writer at The Verge, covering computers. Previously, she was a staff writer for Tom's Guide, where she wrote about everything from artificial intelligence to social media and the internet of things to. She had a particular focus on smart home, reviewing multiple devices. In her downtime, you can usually find her at poetry slams, attempting to exercise, or yelling at people on Twitter.