vpnMentor has discovered a critical vulnerability the hardware design of Amazon Echo 1st generation.
The design flaw is only accessible if you have the device in your hands. So, the sky is not falling. For anyone who bought it from a legitimate retailer (and that does not include cut-price online merchants), you are safe.
vpnMentor (website here and report here) was able to take complete control of the device without affecting its user functionality. It could then listen to every conversation.
Apparently, the device (which runs an underlying operating system akin to Linux) can boot from an SD card slot easily accessible from the base of the device.
vpnMentor was able to gain administrative rights and install malicious software, without leaving physical evidence of tampering. Once installed, this malware could grant an attacker persistent remote access to the device, the ability to steal customer authentication tokens and the power to stream live microphone audio to remote services without altering the functionality of the device.
So how does this affect me?
The market for smart speakers is snowballing. The curious often look for second-hand Alexa’s online to put a low-cost toe-in-the-water.
Ariel Hochstadt, a co-founder of internet security business vpnMentor, uses internet search trends to illustrate how the demand for used smart-home products is taking off. He looked at the average Google search trends worldwide since Amazon Echo’s launch date in November 2014
“The terms ‘second-hand Alexa’ and ‘used Alexa’ have seen a 131% and 502.86% increase respectively. This would highlight a growing interest from consumers in the second-hand market, specifically with Amazon Alexa,” he says.
Hochstadt is concerned that it is to easy to tamper with second-hand products. “The buyer would not be aware that they have purchased a pre-hacked device and, therefore, once in the home, the hackers would be able to access it remotely without ever having to enter the home,” he warns.
vpnMentor recommends that all second-hand electronic equipment, especially those with a camera or microphone (smartphones included) are potentially at risk. He does not want to sound alarmist in any way. While they have proven the bug and exploit exists the issue has been revealed to warn about second-hand devices, not specifically Amazon Alexa.
GadgetGuy’s take. Its time this issue was addressed.
Out of curiosity, and with no agenda for anti-Alexa sentiment I Googled ‘hacking Alexa’. It surprised me to see 5,300,000 results. A search for hack ‘OK Google Assistant’ yielded 14,800,000 results.
The term ‘hack’ covers so many things. But where there is smoke, there is fire. Any IoT device is at risk.
At present, the safest thing you can do is not to say anything that you would not want your mother to hear!