‘ALEXA, SNOOP ON MY WESTERN BUDDIES’ is potentially a command Chinese hackers barked at an Amazon Echo after they managed to turn it into a snooping device.
Cybersecurity boffins from Chinese firm Tencent’s Blade security research team exploited various vulnerabilities they found in the Echo smart speaker to eventually coax it into becoming an eavesdropping device.
The hackers showed off the snooping speaker at the DefCon security conference, reported Wired, using it as a demonstration for the potential for smart home devices to be used for surveillance.
But before you boot your Echo or Google Home out of the nearest window, the hackers noted that getting into the Echo was hardly an easy process, and Amazon now has fixes for the security holes.
“After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and [achieve] remote eavesdropping,” a description of the hackers work, provided to Wired, explained.
“When the attack [succeeds], we can control Amazon Echo for eavesdropping and send the voice data through the network to the attacker.”
The hackers first needed to create a spying-capable Echo, which involved a multi-step penetration technique with enough intricacies to get past the device’s built-in security. This included taking apart the Echo, removing its flash chip and writing custom firmware onto it before remounting the chip.
Once done, the Echo then had to be connected to the same network as a target device Echo device. From there, the hackers could exploit a vulnerability in Amazon’s Whole Home Audio Daemon, which can communicate with other Echo devices on the network, and gain control over targeted Echo gadgets.
And, from there, they could then snoop on their victims and pass recording back to the malicious Echo or pipe all manner of sound through the hijacked Echo.
The technique is hardly an easy or particularly remote way to hack an Echo, but it does conjure up some techniques spies could apply in surveillance operations, providing they have permission to sneak into a person’s house, or they could go rogue like Ethan Hunt does in pretty much every Mission Impossible flick.
The whole situation also highlights how security in such devices needs to be given as much attention as other smart features, as there’s already been a swathe of examples where lax security in smart or connected devices has lead to hack attacks.