Who is listening? Older Amazon Echo devices can be rooted and turned into wiretapping machines
Security researchers at MWR InfoSecurity have warned of a serious security vulnerability with the Amazon Echo speaker.
Launched in the US back in June 2015, the Echo speaker comes with the smart virtual assistant Alexa, but the researchers have now demonstrated how older versions of the device can be turned into a spying machine, right inside people’s homes.
Indeed, attackers can record and stream conversations that take place within Alexa’s ‘hearing,’ and send them to a remote computer. And even worse, the flaw allows for the theft of an owner’s Amazon credentials and authentication tokens, as well the theft of personal information from apps installed on the device.
The MWR InfoSecurity warning about the Alexa came in a blog posting which describes a proof of concept for an attack.
The good news is that for the attack to work, the hackers will need to gain physical access to the device itself in order to gain a root shell on the underlying Linux operating system and install their malware.
Unfortunately, the hacked device will not show any physical evidence of tampering, and will continue to work as normal, but on the plus side, the Echo speaker cannot be hacked remotely. It requires physical access.
Essentially the problem stems from the ‘exposed debug pads on the base of the device’, as well as the fact that the Echo has a hardware configuration setting which allows the device to boot from an external SD card.
The way the attack works is as follows.
The attacker removes the rubber base of the Amazon Echo to reveals 18 debug pads. The attacker then attaches an external SA card to the debug pads, and is then able to boot into the actual firmware on the Echo.
“The configuration of the Echo is such that it will first attempt to boot from an SD Card connected to the exposed debug pads before the internal eMMC unit,” wrote the researchers in their analysis. “By correctly formatting a SD Card with X-loader and U-Boot in the correct partition we can boot from this card and into a U-Boot commandline interface.”
The researchers were then able to install malware and can gain remote root shell access. The researchers were also able to remotely listen into the ‘always listening’ microphones.
“Once we had root we examined the processes running on the device and the scripts that spawn these processes,” the researchers wrote. “We were able to understand how audio media is being passed and buffered between processes and the tools that are used to create and interact with these audio buffers.
“Using the provided ‘shmbuf_tool’ application developed by Amazon, we created a script that would continuously write the raw microphone data into a named fifo pipe which we then stream over TCP/IP to a remote service. On the remote device we receive the raw microphone audio, sample the data and either save it as a wav file or play it out of the speakers of the remote device.”
The researchers warned that the hacked Echo will continue to function as normal and will not display any signs of the tampering.
The flaw has been confirmed on the 2015 and 2016 edition of the Amazon Echo however the 2017 edition is not vulnerable to this physical attack.
“Rooting an Amazon Echo was trivial however it does require physical access which is a major limitation,” said the researchers. “However, product developers should not take it for granted that their customers won’t expose their devices to uncontrolled environments such as hotel rooms.”
They pointed out that the Amazon Echo does include a physical mute button that disables the microphone or it can be simply turned off when sensitive information is being discussed.
And it also be noted that many people walk around with trackable microphones in our pockets (i.e smartphones) without a second thought.
In May Amazon revealed it was extending its Echo and smart virtual assistant Alexa with the debut of the Echo Show, which mixes in the Echo’s speakers voice controlled capabilities with a digital display.
The issue with privacy and the Amazon Echo surfaced recently when police investigating a murder in the US state of Arkansas in December demanded access to some audio data that may have been recorded on an Amazon Echo electronic personal assistant. Amazon agreed in March to hand over data after the defendant gave his consent.