When a device is permanently listening to everything that’s happening in your home then you better be sure that it’s secure.
However, researchers from MWR InfoSecurity have discovered a way to hack into the Amazon Echo, giving them the ability to install software that could allow them to listen to, and record, everything that the Echo hears – even if the speaker's usual trigger word has not been activated.
There are a couple of caveats to this hack. First is that it can’t be done remotely. This is a hack that requires direct access to the Amazon Echo speaker, where the potential hacker will need to remove the rubber base of the speaker to reveal its debug pads.
The second caveat is that this hack is only possible on 2015 and 2016 versions of the full-size Echo device (the Echo Dot is not affected). The copyright year on the packaging should tell you what year the device was manufactured in. The vulnerability doesn’t exist in the 2017 model of the speaker.
However, with an estimated 10 million Alexa-equipped devices sold as of May 2017, that's potentially a lot of vulnerable devices on the market.
An invisible hack
There are a number of opportunities a hacker may have to compromise a device. When we spoke to MWR InfoSecurity they suggested that a hacker may intercept the speaker when it’s on its way to a customer, or else buy one, compromise it, and then sell it on as a second hand device to an unsuspecting consumer.
Once the compromised device is in your home however there’s very little to let you know that it’s sending your voice data to anyone other than Amazon. It still responds as usual to voice commands, and its blue light gives no indication that it’s recording you at all times.
Reassuringly since the device’s mute button is a physical switch, and a representative from MWR InfoSecurity confirmed that using it would prevent a hacker from listening in.
Responding to the hack, Amazon commented, "Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”
Since the hack relies upon getting physical access to the device, it shouldn’t be too difficult to minimise your risk of being affected.
You can do so by making sure you only buy Amazon Echo devices that are new and directly sold by Amazon, and returning them if the box’s seal is broken. Buying the device second hand raises the risk of someone else having compromised it.
You shouldn't have any issues buying a refurbished device from Amazon directly as when asked for comment the company assured us that its refurbished devices "go through a very thorough process that includes wiping the device, a full factory reset, adding the latest firmware and all the appropriate testing."
The Amazon Echo has already been the source of some security concerns. Last year it’s recording data was . Amazon initially refused, citing customer privacy, but later consented after the defendant in the case consented to the data being used.
However, even in this case the speaker would only have been recording after it heard its ‘wake’ word. This more recent hack allows the device to record constantly.
The numerous caveats of the hack mean that it’s unlikely to become a widespread issue, but it should come as a potent reminder that if you’re putting a device with a microphone in it in your home that you should be extra careful about its security.
- If you're not familiar with the smart speaker, our Amazon Echo review will tell you everything you need to know.