Hackers discover way to hijack Amazon Echo and spy on unsuspecting users

Chinese hackers at DEFCON have demonstrated how they were able to hack an Amazon Echo unit, enabling them to listen and record unsuspecting targets.


Smart speakers like Google Home and Amazon Echo are becoming increasingly popular in the U.S. About 39 million Americans regularly use these devices, which can do everything from play music, fetch a weather forecast and even order a pizza. The devices are able to perform those tasks because of voice-activation technology that triggers various scripts at the mere utterance of a word like ‘Alexa’.

But that same voice-activation and recording technology has alarmed many security experts over the years who fear it could be exploited by hackers seeking to listen in on unsuspecting targets. Recently, a group of Chinese hackers figured out how to do just that.

At the DEFCON security conference in Las Vegas on Sunday, researchers Wu Huiyu and Qian Wenxiang demonstrated how they discovered a way to hijack the second-generation Amazon Echo by exploiting a series of bugs within the device’s hardware and software.

The vulnerabilities shouldn’t alarm Echo users because they’ve since been fixed by Amazon, and the attack required rather extensive technical expertise to execute. Still, the attack arguably represents the most successful breach of a smart speaker system to date.

“After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and [achieve] remote eavesdropping,” the hackers wrote to WIRED. “When the attack [succeeds], we can control Amazon Echo for eavesdropping and send the voice data through network to the attacker.”

The team’s attack worked like this: First, the researchers removed the flash chip from an Echo unit, modified the chip and reinserted it into the unit. Then, assuming the researchers could get their modified Echo connected to the same Wi-Fi network as the target’s Echo, they showed how they could exploit a software component of Amazon’s speakers, called Whole Home Audio Daemon, to eventually take control of the target Echo.

The attack would theoretically enable a third-party to record and transmit audio from an Echo without the target ever knowing their device had been hijacked.

“After a period of practice, we can now use the manual soldering method to remove the firmware chip ... from the motherboard and extract the firmware within 10 minutes, then modify the firmware within 5 minutes and [attach it] back to the device board,” the team told WIRED. “The success rate is nearly 100 percent. We have used this method to create a lot of rooted Amazon Echo devices.”

A spokesperson for Amazon told WIRED that “customers do not need to take any action as their devices have been automatically updated with security fixes,” and that “this issue would have required a malicious actor to have physical access to a device and the ability to modify the device hardware.”

It’s not the first time vulnerabilities in Echo units have been identified. One of the most recent demonstrations came in April of this year when the cybersecurity company Checkmarx showed it was able to tweak an Echo so that it keeps ‘listening’—and, therefore, recording—long after the user had said the activation word ‘Alexa’. That exploit, which has since been fixed by Amazon, effectively turned the unit into a surveillance device, though the team said it was unable to figure out how to turn off the unit’s blue light-ring.

LinkedIn meets Tinder in this mindful networking app

Swipe right to make the connections that could change your career.

Getty Images
Sponsored
Swipe right. Match. Meet over coffee or set up a call.

No, we aren't talking about Tinder. Introducing Shapr, a free app that helps people with synergistic professional goals and skill sets easily meet and collaborate.

Keep reading Show less

15 surprising life lessons from a highly successful 80-year-old

You can use these to get ahead, no matter your age.

Personal Growth

Blackstone's Byron Wien, Vice Chairman of Private Wealth Solutions Group, gave a speech laying out the wisdom he learned during his 80 years. Here are 15 of Wien's best life lessons, which teach us about improving our productivity, sleep, burnout avoidance, and everything in between.

Keep reading Show less

Employees don't quit their job, they quit their boss

According to TwoFold CEO Alison McMahon, a leader who doesn't care (or can't pretend to care) about his or her employees isn't much of a leader at all.

Photo credit: Mantas Hesthaven on Unsplash
Technology & Innovation

Why do people quit their jobs? Surely, there are a ton of factors: money, hours, location, lack of interest, etc. For Alison McMahon, an HR specialist and the CEO of TwoFold, the biggest reason employees jump ship is that they're tired of working for lousy bosses.

By and large, she says, people are willing to put up with certain negatives as long as they enjoy who they're working for. When that's just not the case, there's no reason to stick around:

Nine times out of ten, when an employee says they're leaving for more money, it's simply not true. It's just too uncomfortable to tell the truth.

Whether that's true is certainly debatable, though it's not a stretch to say that an inconsiderate and/or incompetent boss isn't much of a leader. If you run an organization or company, your values and actions need to guide and inspire your team. When you fail to do that, you set the table for poor productivity and turnover.

McMahon offers a few suggestions for those who want to hone their leadership abilities, though it seems that these things are more innate qualities than acquired skills. For example, actually caring about your workers or not depending wholly on HR thinking they can do your job for you.

It's the nature of promotions that, inevitably, a good employee without leadership skills will get thrust into a supervisory position. McMahon says this is a chronic problem that many organizations need to avoid, or at least make the time to properly evaluate and assist with the transition.

But since they often don't, they end up with uninspired workers. And uninspired workers who don't have a reason to stay won't stick around for long.

Read more at LinkedIn.

Radical theory says our universe sits on an inflating bubble in an extra dimension

Cosmologists propose a groundbreaking model of the universe using string theory.

Getty Images/Suvendu Giri
Surprising Science
  • A new paper uses string theory to propose a new model of the universe.
  • The researchers think our universe may be riding a bubble expanded by dark energy.
  • All matter in the universe may exist in strings that reach into another dimension.
Keep reading Show less