A vulnerability in the Amazon Echo device can be exploited to turn it into a covert spying tool, say researchers.
The popular speaker-come-personal-assistant is vulnerable to a physical attack that enables a threat actor to covertly monitor and listen in on users, stealing private data, without any indication of anything untoward.
While earlier research had shown that it was possible to boot into a generic Linux environment from an external SD card, via the debug pads exposed when the Echo rubber base is removed, MWR researchers managed to boot into the Echo firmware itself.
This enabled them to install a ‘persistent implant’ and gain remote root shell access, before remotely monitoring the always listening microphone of the Echo. MWR’s researchers developed scripts to leverage tools embedded on the device in order to stream the resulting audio to a remote server.