As new devices emerge, tech experts and white-hat hackers test them to see if they can be hacked and used to spy on text messages, and people. At a recent DefCon Hacking Conference, white-hat hackers explained how they were able to hack into an Amazon Echo and use it to spy on people.
How Did They Do It
The technique used to make Alexa a spy was complicated; the commissioned hackers had extensive hardware skills, and access to the Echo’s Wi-Fi. The layman’s version of this technique involved a second-generation Amazon Echo with chained bugs (multiple technology errors) to infiltrate another Echo device. Then, audio was recorded from the Echo and sent to the remote spy.
Here’s the detailed version of how the hackers turned Alexa into a spy:
- The hackers created an attack Echo by altering its flash chip and firmware.
- On the Alexa interface, the hackers exploited three vulnerabilities: cross-site scripting, URL redirection, and HTTPS downgrade attacks. These were used to link their Echo to the target’s Amazon account.
- The hacker’s Echo was connected to the Wi-Fi network the target Echo used. Then, they took advantage of the Whole Home Audio Daemon used for Echo communication.
- By exploiting a Daemon vulnerability, the hackers could control the target Echo’s speaker. With this, they could secretly record and send audio to a remote spy.
The main obstacle of this technique was getting the hacked Echo to connect to the same Wi-Fi network as the target Echo. These white-hat hackers reported their findings to Amazon who issued security fixes for the vulnerabilities this past July. The details of this were originally reported by Wired.
The moral of the story is that any device, even the Echo and Echo Dot, is hackable and can be used to spy on people. The only thing regular consumers can do to protect their devices is to utilize the security features available to them.