from the physical-possession-is-game-over dept.
New research released by MWR InfoSecurity reveals how attackers can compromise the Amazon Echo and turn it into a covert listening device, without affecting its overall functionality.
Found to be susceptible to a physical attack, which allows an attacker to gain a root shell on the Linux Operating Systems and install malware, the Amazon Echo would enable hackers to covertly monitor and listen in on users and steal private data without their permission or knowledge.
By removing the rubber base at the bottom of the Amazon Echo, the research team could access the 18 debug pads and directly boot into the firmware of the device, via an external SD card, and install persistent malware without leaving any physical evidence of tampering. This gained them remote root shell access and enabled them to access the "always listening" microphones.
[...] The vulnerability has been confirmed to affect the 2015 and 2016 editions of the device. The 2017 edition of the Amazon Echo is not vulnerable to this physical attack. The smaller Amazon Dot model also does not carry the vulnerability.
More technical details can be found here.
Source: https://www.helpnetsecurity.com/2017/08/01/amazon-echo-covert-listening/
(Score: 2, Informative) by Anonymous Coward on Saturday August 05 2017, @12:32PM (2 children)
I'm pretty sure that Amazon has already done that. You know, it's a "feature".
(Score: 0) by Anonymous Coward on Saturday August 05 2017, @12:47PM
Indeed, a "feature" [theatlantic.com]
(Score: 5, Touché) by TheRaven on Saturday August 05 2017, @12:58PM
sudo mod me up
(Score: 3, Insightful) by Anonymous Coward on Saturday August 05 2017, @03:17PM (2 children)
(Score: 0) by Anonymous Coward on Saturday August 05 2017, @10:43PM
This is a geek news site, not a mainstream one. The article contains a link to a write-up on how they did it, which is quite interesting.
Sure it isn't a major vulnerability, even the write-up notes that and points out that most of us walk around with microphones in out pockets, without giving it much thought. However, it is still interesting and worthy of a post here.
(Score: 2) by darkfeline on Tuesday August 08 2017, @03:57AM
With physical access, you can turn anything into a listening device by jamming a $10-$100 microphone into it, including, say, pieces of fruit. As they say, the Apple is spying on you.
Join the SDF Public Access UNIX System today!
(Score: 2) by urza9814 on Monday August 07 2017, @12:16PM
I believe a more accurate title would be: Amazon Echo Jailbroken.
If they've got physical access to your home there's already nearly infinite ways to install covert listening devices. There interesting part about doing it with the Echo is that *you can do something interesting with the Echo!* ;)