Taking over an IoT (Internet of Things) device is nothing new for hackers, but since users have become increasingly dependent on smart devices, the vulnerabilities have increased as well. Recently, a security researcher has discovered that Amazon Echo or Echo, a smart speaker developed by Amazon is vulnerable to physical hack attack.
In this attack, an attacker with physical access to Amazon Echo 2015 or 2016 models and with professional knowledge of Linux OS can install malware on the device turning it into a perfect surveillance tool – All that without leaving a trace or clue for its owner.
How severely the device can be comprised depends on the attackers and for which purpose they want to exploit it for. However, a British security researcher Mark Barnes of MwrLabs says that the malware infection can allow attackers to gain full remote access to a targeted device, steal customer authentication tokens, and live stream microphone audio. This means strangers can hear in-house conversations which you thought to be private or secretive.
This makes Amazon Echo a perfect device for hackers, police and intelligence agencies should they choose you as their target or suspect you of a crime. An attacker, in this case, can be anyone including your family member, a friend or anyone else trustworthy with physical access to your house.
This is just like what WikiLeaks released in its Vault 7 series documents alleging that CIA can spy on users through their Samsung smart TV without the knowledge of users.
In order to conduct the hack, Barnes removed the rubber base of the Echo which allowed him to access 18 metal pads, the purpose of which is to find bugs and conduct tests on the device before sending it to market for sale. Using these pads, one can also read data on the SD card. Barnes then used one of the metal pads to connect his laptop to boot the device which was successfully executed since there was no authentication required.
Furthermore, Barnes used a research paper released by researchers at The Citadel which highlighted how researchers were able to boot into a generic Linux environment from an external SD Card attached to debug pads made available on the base of the Amazon Echo device. It allowed Barnes to install “a persistent implant, gain remote root shell access, and finally remotely snoop on the ‘always listening’ microphones.”
“Once we had root access we examined the processes running on the device and the scripts that spawn these processes. We were able to understand how audio media is being passed and buffered between processes and the tools that are used to create and interact with these audio buffers. Using the provided ‘shmbuf_tool’ application developed by Amazon, we created a script that would continuously write the raw microphone data into a named fifo pipe which we then stream over TCP/IP to a remote service. On the remote device, we receive the raw microphone audio, sample the data, and either save it as a .wav file or play it out of the speakers of the remote device”.
For those looking to fix the issue are advised by Barnes to mute their device by using the physical button and check the original pack for a 2017 copyright and a device model number ending 02. Also, keep an eye on who has physical access to your Echo device and in the case of any suspicion inform Amazon.