UPDATED 23:52 EST / AUGUST 02 2017

EMERGING TECH

Security vulnerabilities in Amazon’s Echo can turn it into a spying device

Jokes about the Amazon Echo and similar smart home devices being self-installed wiretaps that monitor your every move have abounded since the devices were first launched. It turns out such jokes are now a reality, as a security researcher discovered that turning an Echo into a spying device is actually fairly easy to do.

Mark Barnes from MWR InfoSecurity detailed the hack in a blog post, describing how the “Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering.”

The hack involves removing the rubber base at the bottom of the Echo, accessing the device via its debugs pads and then directly booting firmware from an external Secure Digital card to obtain root access, setting up the ability to install malware that can monitor the device, including the ability for always-on voice capture.

Interestingly, a simple oversight creates the vulnerability and makes the hack easy. The hardware configuration setting in the affected models allows the device to boot from an external SD Card, and without this setting, access to hack the Echo would not be nearly as easy.

“The rooting of the Amazon Echo device in itself was trivial; however, it raises a number of important questions for manufacturers of Internet enabled or ‘Smart Home’ devices,” Barnes wrote. “The biggest limitation of this vulnerability is the need for physical access to the device itself, but it shouldn’t be taken for granted that consumers won’t expose the devices to uncontrolled environments that places their security and privacy at risk.”

The vulnerability itself only applies to the 2015 and 2016 versions of the Amazon Echo. The 2017 version doesn’t allow access to external devices.

Barnes concluded that physical security — that is, the ability for anyone to directly access a device such as the Amazon Echo — should be considered throughout the development life cycle and that “physical attacks should also be incorporated into any security assessments as early as possible to increase assurance of the product.”

Photo: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.