Hackers discover way to hijack Amazon Echo and spy on unsuspecting users

Chinese hackers at DEFCON have demonstrated how they were able to hack an Amazon Echo unit, enabling them to listen and record unsuspecting targets.


Smart speakers like Google Home and Amazon Echo are becoming increasingly popular in the U.S. About 39 million Americans regularly use these devices, which can do everything from play music, fetch a weather forecast and even order a pizza. The devices are able to perform those tasks because of voice-activation technology that triggers various scripts at the mere utterance of a word like ‘Alexa’.

But that same voice-activation and recording technology has alarmed many security experts over the years who fear it could be exploited by hackers seeking to listen in on unsuspecting targets. Recently, a group of Chinese hackers figured out how to do just that.

At the DEFCON security conference in Las Vegas on Sunday, researchers Wu Huiyu and Qian Wenxiang demonstrated how they discovered a way to hijack the second-generation Amazon Echo by exploiting a series of bugs within the device’s hardware and software.

The vulnerabilities shouldn’t alarm Echo users because they’ve since been fixed by Amazon, and the attack required rather extensive technical expertise to execute. Still, the attack arguably represents the most successful breach of a smart speaker system to date.

“After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and [achieve] remote eavesdropping,” the hackers wrote to WIRED. “When the attack [succeeds], we can control Amazon Echo for eavesdropping and send the voice data through network to the attacker.”

The team’s attack worked like this: First, the researchers removed the flash chip from an Echo unit, modified the chip and reinserted it into the unit. Then, assuming the researchers could get their modified Echo connected to the same Wi-Fi network as the target’s Echo, they showed how they could exploit a software component of Amazon’s speakers, called Whole Home Audio Daemon, to eventually take control of the target Echo.

The attack would theoretically enable a third-party to record and transmit audio from an Echo without the target ever knowing their device had been hijacked.

“After a period of practice, we can now use the manual soldering method to remove the firmware chip ... from the motherboard and extract the firmware within 10 minutes, then modify the firmware within 5 minutes and [attach it] back to the device board,” the team told WIRED. “The success rate is nearly 100 percent. We have used this method to create a lot of rooted Amazon Echo devices.”

A spokesperson for Amazon told WIRED that “customers do not need to take any action as their devices have been automatically updated with security fixes,” and that “this issue would have required a malicious actor to have physical access to a device and the ability to modify the device hardware.”

It’s not the first time vulnerabilities in Echo units have been identified. One of the most recent demonstrations came in April of this year when the cybersecurity company Checkmarx showed it was able to tweak an Echo so that it keeps ‘listening’—and, therefore, recording—long after the user had said the activation word ‘Alexa’. That exploit, which has since been fixed by Amazon, effectively turned the unit into a surveillance device, though the team said it was unable to figure out how to turn off the unit’s blue light-ring.

'Upstreamism': Your zip code affects your health as much as genetics

Upstreamism advocate Rishi Manchanda calls us to understand health not as a "personal responsibility" but a "common good."

Sponsored by Northwell Health
  • Upstreamism tasks health care professionals to combat unhealthy social and cultural influences that exist outside — or upstream — of medical facilities.
  • Patients from low-income neighborhoods are most at risk of negative health impacts.
  • Thankfully, health care professionals are not alone. Upstreamism is increasingly part of our cultural consciousness.
Keep reading Show less

In U.S. first, drug company faces criminal charges for distributing opioids

It marks a major shift in the government's battle against the opioid crisis.

George Frey/Bloomberg via Getty Images
Politics & Current Affairs
  • The nation's sixth-largest drug distributor is facing criminal charges related to failing to report suspicious drug orders, among other things.
  • It marks the first time a drug company has faced criminal charges for distributing opioids.
  • Since 1997, nearly 222,000 Americans have died from prescription opioids, partly thanks to unethical doctors who abuse the system.
Keep reading Show less

Scientists create a "lifelike" material that has metabolism and can self-reproduce

An innovation may lead to lifelike evolving machines.

Shogo Hamada/Cornell University
Surprising Science
  • Scientists at Cornell University devise a material with 3 key traits of life.
  • The goal for the researchers is not to create life but lifelike machines.
  • The researchers were able to program metabolism into the material's DNA.
Keep reading Show less

Calling out Cersei Lannister: Elizabeth Warren reviews Game of Thrones

The real Game of Thrones might be who best leverages the hit HBO show to shape political narratives.

Photo credit: Mario Tama / Getty Images
Politics & Current Affairs
  • Sen. Elizabeth Warren argues that Game of Thrones is primarily about women in her review of the wildly popular HBO show.
  • Warren also touches on other parallels between the show and our modern world, such as inequality, political favoritism of the elite, and the dire impact of different leadership styles on the lives of the people.
  • Her review serves as another example of using Game of Thrones as a political analogy and a tool for framing political narratives.
Keep reading Show less