Research from MWR InfoSecurity Ltd. shows that threat actors can install malware on an Amazon Echo and turn it into a listening device. How effective is this attack, and is there any way to determine if an Amazon Echo has been compromised?

An attacker needs to gain a root shell on the Linux operating system to install malware and exploit this Amazon Echo vulnerability.

By removing the rubber base of the Amazon Echo, the attacker could use an external SD card to boot into the device's firmware as the MWR researchers demonstrated. After putting the base back, a tech-savvy attacker could use a mobile device to remotely access the always-listening microphone. The audio could be streamed to a remote server, played out of the speakers or saved as a WAV file.

The listening microphone will wake up after the victim says "Alexa." Everything the victim says is then recorded in the background. This includes telling the Echo what music to play, who to call and when to send messages. The victim could get the news he wants and the scores for his favorite sports. Other options the victim could use are controlling lights, TVs, thermostats and garage doors. When used with a mobile device running the Alexa app -- on the Android or iPhone -- the victim could orally search for consumer items using the Echo as a virtual assistant device. The attacker would get a gold mine of the victim's shopping preferences.

The physical Amazon Echo vulnerability affects the 2015 and 2016 editions of the Amazon device. The 2017 edition and the Amazon Echo Dot model are free from this vulnerability.

It is not possible to apply software or firmware updates to correct the design flaw in the affected Echo models, and there is no way for the victim to determine if the vulnerability on the physical device has been exploited.

The victim may find it inconvenient to physically turn on the mute button to disable the microphone or to fully turn off the Echo. A better approach to protect against this Amazon Echo vulnerability is to monitor the network traffic on your mobile device and look for any anomalous activity that might indicate a compromise. Many monitoring tools for mobile devices are available. If there is suspicious traffic on your Echo, you may want to think about replacing it with a newer model. 

Written by: Judith Myerson 

Published in: SearchSecurity.com