9th August 2017
 

A researcher has revealed that Amazon’s Echo smart speaker can be hacked in such a way that it sends everything it hears to a prospective attacker.

Mark Barnes said that his attacks on certain versions of the device enabled him to have almost full control of the speaker, including entering the Echo’s software innards through connections found on the base.

Mr Barnes said that it was a simple task to take over the device once the initial access had been made.

The Echo uses AI to hear and respond to voice commands issued by the user, carrying out the functions requested. These include ordering goods from a retailer, playing songs and answering questions.

The first step of the hack was to remove the Echo’s rubber base, exposing electrical contacts. This enable Mr Barnes to view the Echo’s boot-up procedure and analyse how it worked. Mr Barnes was then able to create software that would allow him to control the device.

He was then able to examine the way in which audio was handled, before creating a code that would forward all audio to a remote server.

Amazon did not make a direct comment on the findings of the attack but issued a statement saying: “Customer trust is very important to us.

“To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”

Mr Barnes admitted that the need to have physical access to the device was a “major limitation”, but added that there were a number of opportunities for people to do so and that second-hand devices would be particularly susceptible.

The attack was carried out on the versions of the Echo that were released in 2015 and 2016. More recent versions of the Echo are not susceptible to the same attack.

Mr Barnes recommended that hardware makers start assessing novel gadgets on their ability to resist physical attacks “as early as possible”.

“Product recalls and modifications can be expensive in post-production, so physical security should be considered throughout the development life cycle,” he said.