EVERY GOOD PARANOIAC sees an always-listening device like an Amazon Echo as a potential spy sitting in plain sight. Now one security researcher has shown exactly how fine the line is between countertop computer and surveillance tool. With just a few minutes of hands-on time, a hacker could turn an Echo into a personal eavesdropping microphone without leaving any physical trace.
On Tuesday, British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.
While that shouldn't raise alarms for every Echo owner that hackers are about to hijack their smart speaker, it does raise questions about the security of the devices, which are increasingly left in hotel rooms or offices, out of their owners' constant control.
Tapping the Echo
"We present a technique for rooting an Amazon Echo and then turning it into a 'wiretap'," writes Barnes, who works as a security researcher for Basingstoke, UK-based MWR Labs. His write-up goes on to describe how he was able to install his own rogue software on the device, create a "root shell" that gives him access over the internet to the hacked Echo, and to "finally remotely snoop on its 'always listening' microphones."
The method takes advantage of a physical security vulnerability Amazon left in its pre-2017 Echo units: Remove the rubber base of the device, and underneath hides a small grid of tiny metal pads that act as connections into its internal hardware, likely used for testing and fixing bugs in the devices before they were sold. One of those allows the Echo to read data from an SD card, for instance.
So Barnes soldered his own connections to two of the tiny metal pads, one wired to his laptop and another to an SD card reader. Then he used Amazon's built-in functionality to load his own version of the Echo's so-called "bootloader"—the deep-seated software in some devices that tells them how to boot their own operating system—from his SD card, including tweaks that turned off the operating system's authentication measures and allowed him the privileges to install software on it.
While the soldering took hours and left behind physical evidence—it would be hard to miss the wires sticking out everywhere—Barnes says that with a bit more development, the pads could just as easily be accessed with a purpose-built device that uses pins to connect to them directly and more cleanly achieves the same effect in minutes. In fact, an earlier paper by a group of researchers at the Citadel military academy in South Carolina identified the same pins, suggesting that hackers could use a 3-D-printed attachment to connect to them.
"You just peel off the little rubber base and you can access these pads straightaway," Barnes explains. "You could make a device that would push onto the base, that you wouldn’t have to solder on, and that wouldn’t leave any obvious signs of manipulation."