olly - Fotolia

How does an Amazon Echo vulnerability enable attackers to eavesdrop?

Hackers could take advantage of a physical Amazon Echo vulnerability to turn the Echo into a listening device. Judith Myerson explains how this works and what can be done about it.

Research from MWR InfoSecurity Ltd. shows that threat actors can install malware on an Amazon Echo and turn it into a listening device. How effective is this attack, and is there any way to determine if an Amazon Echo has been compromised?

An attacker needs to gain a root shell on the Linux operating system to install malware and exploit this Amazon Echo vulnerability.

By removing the rubber base of the Amazon Echo, the attacker could use an external SD card to boot into the device's firmware as the MWR researchers demonstrated. After putting the base back, a tech-savvy attacker could use a mobile device to remotely access the always-listening microphone. The audio could be streamed to a remote server, played out of the speakers or saved as a WAV file.

The listening microphone will wake up after the victim says "Alexa." Everything the victim says is then recorded in the background. This includes telling the Echo what music to play, who to call and when to send messages. The victim could get the news he wants and the scores for his favorite sports. Other options the victim could use are controlling lights, TVs, thermostats and garage doors. When used with a mobile device running the Alexa app -- on the Android or iPhone -- the victim could orally search for consumer items using the Echo as a virtual assistant device. The attacker would get a gold mine of the victim's shopping preferences.

The physical Amazon Echo vulnerability affects the 2015 and 2016 editions of the Amazon device. The 2017 edition and the Amazon Echo Dot model are free from this vulnerability.

It is not possible to apply software or firmware updates to correct the design flaw in the affected Echo models, and there is no way for the victim to determine if the vulnerability on the physical device has been exploited.

The victim may find it inconvenient to physically turn on the mute button to disable the microphone or to fully turn off the Echo. A better approach to protect against this Amazon Echo vulnerability is to monitor the network traffic on your mobile device and look for any anomalous activity that might indicate a compromise. Many monitoring tools for mobile devices are available. If there is suspicious traffic on your Echo, you may want to think about replacing it with a newer model.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to manage and monitor hybrid networks

Discover more about cyber-physical attacks

Find out why Amazon is paying out for developers with Alexa skills

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing