Every good paranoiac sees an always-listening device like an Amazon Echo as a potential spy sitting in plain sight. Now one security researcher has shown exactly how fine the line is between countertop computer and surveillance tool. With just a few minutes of hands-on time, a hacker could turn an Echo into his or her personal eavesdropping microphone without leaving any physical trace.
On Tuesday, British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his own proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it only works on devices sold before 2017. But there’s no software fix for older devices, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.
While that shouldn’t raise alarms for every Echo owner that hackers are about to hijack their smart speaker, it does raise questions about the security of the devices that are increasingly left in hotel rooms or offices, out of their owners’ constant control.
Tapping the Echo
“We present a technique for rooting an Amazon Echo and then turning it into a ‘wiretap’,” writes Barnes, who works as a security researcher for Basingstoke, UK-based MWR Labs. His writeup goes on to describe how he was able to install his own rogue software on the device, create a “root shell” that gives him access over the internet to the hacked Echo, and to “finally remotely snoop on its ‘always listening’ microphones.”
The method takes advantage of a physical security vulnerability Amazon left in its pre-2017 Echo units: Remove the rubber base of the device, and underneath hides a small grid of tiny metal pads that act as connections into its internal hardware, likely used for testing and fixing bugs in the devices before they were sold. One of those allows the Echo to read data from an SD card, for instance.
So Barnes soldered his own connections to two of the tiny metal pads, one wired to his laptop and another to an SD card reader. Then he used Amazon’s own built-in functionality to load his own version of the Echo’s so-called “bootloader”—the deep-seated software in some devices that tells it how to boot its own operating system—from his SD card, including tweaks that turned off the operating system’s authentication measures and allowed him the privileges to install software on it.
While the soldering took hours and left behind physical evidence—it would be hard to miss the wires sticking out everywhere—Barnes says that with a bit more development, the pads could just as easily be accessed with a purpose-built device that uses pins to connect to them directly, and more cleanly achieves the same effect in minutes. In fact, an earlier paper by a group of researchers at the Citadel military academy in South Carolina identified the same pins, suggesting that hackers could use a 3-D-printed attachment to connect to them.
“You just peel off the little rubber base, and you can access these pads straightaway,” Barnes explains. “You could make a device that would push onto the base, that you wouldn’t have to solder on, and that wouldn’t leave any obvious signs of manipulation.”
After gaining the ability to write his own software to the Echo, Barnes wrote a simple script that takes over its microphone functions and streams its audio to any remote computer he chooses. But he points out that his malware could just as easily perform other nasty functions, like using it as an access point to attack other parts of the network, stealing access to the owner’s Amazon account, or installing ransomware. “You can make it do whatever you want, really,” Barnes says.
‘Turn It Off’
Amazon has fixed the security flaw Barnes exploited in its most recent version of the Echo, Barnes says, removing the external connection that allows access to its SD card. When WIRED reached out to Amazon for comment, the company wrote in a statement that “to help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”
Barnes agrees that his work should serve as a warning that Echo devices bought from someone other than Amazon like a secondhand seller could be compromised. But he also points out that, contrary to the implication of the company’s statement, no software update will protect earlier versions of the Echo, since the problem is in the physical connection its hardware exposes.
Instead, he says that people should think twice about the security risks of using an Echo in public or semi-public places, like plans for the Wynn Hotel in Las Vegas to put an Echo in every room. “In that case, you don’t really control who has access to the devices,” Barnes says. “The previous guest could have installed something, the cleaner, whoever.” The notion that intelligence services, for instance, might go to the effort to turn in-room devices into spying tools is more than paranoia: Documents released by WikiLeaks show that the CIA has explored similar physical access techniques designed to turn Samsung smart televisions into eavesdropping devices.
For those wary of a potentially compromised Echo, Barnes notes that they do have a “mute” button that works as a hardware switch and isn’t easily bypassed by malware. He recommends it. “If anyone pushes that mute button, I can’t unmute it in software,” he says.
And he offers a simpler solution, too: “Just turn it off.”