A British security researcher is reported to have said that malware can be installed on an Amazon Echo along with code that could allow the device to eavesdrop on your conversations.
Who & How?
Security expert Mark Barnes has made the news by saying that anyone could install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the device to a remote server. This would enable a criminal, for example, to listen-in on private home conversations and private / personal information that could be used to e.g. steal money or burgle the home.
It has also been reported that this kind of hack would only work on devices sold before 2017.
A Potential To Listen Already Built-In
Since Amazon Echo is a smart speaker capable of voice interaction, the ability to listen to human voices is already built-in to the device, and forms an integral part of its operation and purpose.
As well as music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks etc., the Echo can also control several smart devices when used as a home automation hub. This adds to its potential of becoming someone else’s secret personal listening / spying device if hacked.
Installing Malware On The Echo
Mr Barnes has been reported as saying that anyone could install malware on an Echo, and that taking over the device was "trivial" as long as the hacker had easy physical access to it.
How Is It Done?
According to Mr Barnes’s blog, such a hack is made possible by peeling off the rubber base of the Echo to expose a grid of electrical contacts, and then by connecting to one of the contacts to observe the boot-up procedure and work out how the device is configured.
Armed with this knowledge, Mr Barnes is reported as saying that software loaded on a small memory card can then be connected to one contact pad, and can thereby give a person control over the device. From this stage, how the audio is handled can be studied, and an attack code can then be created which forwards everything that the device hears to a remote server.
No Comment From Amazon
Despite the claims from Mr Barnes being widely reported online, there has been no comment as yet from Amazon (at the time of writing this article).
What Does This Mean For Your Business?
This story highlights how many of the existing fears about the vulnerability of smart / IoT devices are still very much present, and how a device that is designed to listen anyway could pose even more of a risk.
IoT security fears are nothing new, and usually focus on how devices could be taken over and used against us due to customers not changing the default passwords that the devices come with. What makes the fears about this story more real is that reports indicate that the researcher has actually tried it and succeeded.
For businesses that develop these products, apart from the initial bad PR, the finding of security holes by security professionals could actually allow them to address security flaws early on, and prevent an even worse, more costly situation e.g. malicious hackers finding the flaw and launching attacks on customers.
An example of an exploitable fault discovered in household devices happened back in June, when all Virgin Super Hub 2’ and ‘Super Hub 2 AC’ routers (made by Netgear) were found to have exactly the same private encryption key. These standard home routers are used by one of the UK’s largest ISPs, and are used in millions of homes (and small businesses) across the UK. Having a common security flaw in all of them, which could be exploited by cyber criminals using a relatively low-tech approach and low cost method represented a major potential security risk and for millions of people. Virgin Media were then forced to develop and distribute a security patch.
IoT security is likely to be a major concern for quite some time yet as it has not been effectively addressed in the marketplace, so this story about potential security flaws in a popular IoT device is likely to be one of many going forward.