How Amazon Echo could be used to spy on you
As we acquire more voice activated smart devices, there's always the risk that they could be eavesdropping on day-to-day conversations.
Exploiting the vulnerability does require physical access to the device. By removing the rubber base at the bottom of the Echo, the research team was able to access the 18 debug pads and directly boot into the firmware of the device, via an external SD card, and install persistent malware without leaving any physical evidence of tampering. Doing this gave them remote root shell access and enabled them to access the 'always listening' microphones.
"The rooting of the Amazon Echo device in itself was trivial; however, it raises a number of important questions for manufacturers of Internet enabled or 'Smart Home' devices," says Mark Barnes, security consultant at MWR InfoSecurity. "The biggest limitation of this vulnerability is the need for physical access to the device itself, but it shouldn't be taken for granted that consumers won't expose the devices to uncontrolled environments that places their security and privacy at risk."
The vulnerability has been confirmed to affect the 2015 and 2016 editions of the device. The 2017 edition of the Amazon Echo is not vulnerable to this physical attack. The smaller Amazon Dot model also does not carry the vulnerability.
MWR has made full disclosure of the vulnerability to Amazon, which responded by saying, "Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date."
Further recommendations from MWR are to use the Echo's mute button when sensitive information is being discussed, and to monitor network traffic for suspicious activity.
More details on the vulnerability can be found on the MWR Labs blog.