Skip to main content

A proof-of-concept 'wiretap' on the Amazon Echo is interesting, but not alarming

There are a couple ways to think of security when it comes to our connected devices. One is binary. Either they're safe and secure and not being actively exploited, or they're not.

I take a different tack. I look at my connected devices and assume someone can see or hear me through them and work backward from there when it comes to publicly announced exploits and hacks. How is the hack achieved? Does it require physical access to the device? Do I have to do something to it first, like install an app from a specious source? Is it something a little scarier, like the recent Broadcom vulnerability? And what's the history of the hardware manufacturer when it comes to updates?

Important things, all. And something to keep in mind when we look at the recent disclosure of a "hack" of the Amazon Echo, as detailed in Wired. Specifically, we're talking about the 2015 and 2016 models. So if you've bought one this year, you should be OK.

Unless you're an active target of a hacker, requiring physical access to a device generally means you'll be OK.

The short version is this: Those earlier Echo models were manufactured in a way in which someone could physically attach a little extra hardware to the Echo (a bootable SD card, actually), hidden out of sight under the rubber footing. This would let them listen in on what was being said, record it, and fire it off anywhere the hacker pleased. (That's in addition to other nastiness.)

There are a few things to keep in mind here, and it's something that the write-up of the exploit rightly considers.

First, the hacker would need physical access to your Echo. And if you're already an active target and someone's able to get into your home, you've got much bigger issues than Alexa listening in. (Like, say, planting a real bug somewhere else. Or multiple somewheres else.)

Second: The hacker would need physical access to your Echo. This isn't just a software thing. It's worth mentioning twice.

That's not to say there aren't scenarios in which I might worry a little more, however. The original write-up also mentions that the larger (yet still theoretical, as this is all part of a proof-of-concept thing) issue could be in places like hotels, where more people have access.

The Wynn hotels in Vegas announced in December 2016 that they'd have an Echo in every room. While I don't hate the idea of controlling the lights and window shades with my voice, a hotel room is exactly the sort of place I wouldn't trust this sort of thing. But on the other hand, I also have no idea if a casino hotel — which already is wired up more than just about any other place you can visit without a security clearance — isn't already listening in on everything I do.

Pick your poison, really.

A potentially hacked Echo in a hotel room? That's another story.

So, yeah. This is an interesting potential exploit. But it's one that requires me to have an older Amazon Echo. At home, that's something I can rectify myself. (Get one that does not have model number 23-002518-01.) It also requires an attacker to have physical access to my Echo, which again is way worse for me for a host of other reasons.

And, finally (or, rather, first) it requires me to be a target. This isn't something you can just stumble across walking down the street or logging onto someone's Wifi network.

For now? I'm just a guy with an Amazon Echo who's still going to sleep just fine at night.

12 Comments
  • The difference with the hotel scenario is that the hotel management wants you to have a good time, spend money, and come back to do it again...and again. OTOH, since some people do things in Vegas that they'd prefer stay in Vegas, a criminal could make a good living listening in on these things and blackmailing people with the info they collect.
  • Regarding an Echo in a hotel room, it looks like it doesn't have a battery....so, unplug it? Or would that trigger something with the hotel and you would get a call "sir, we've noticed you don't have a working Echo..we'll fix it for you"?
  • I'd guess that they'll be permanently affixed in the same way that hotel hair dryers are often attached to the bathroom walls, so that you can't steal them. Honestly, though, if the hotel wants to record everything in every room, there are much easier ways to do it. I'm with Phil--I won't lose sleep over it.
  • I wouldn't worry about hotel management wanting to secretly record things. I'd be more concerned about criminals with that intent, especially if one or more worked in the hotel. If someone had access to the registration system, they'd know who's checking in and what room they'll be in, and then the Echo in there could be compromised. I'm not saying it'd definitely happen, but it could be done. Of course, if I was staying in China, my assumption would be that the room would be bugged, and so would any computers, tablets, or phones that I allowed to leave my sight for more than a few seconds.
  • "Get one that does not have model number 23-002518-01 " Annnnnd... how are we all supposed to know who has what model??
  • This reminds me of the overblown Galaxy S8 iris scanner "hack" that requires way too much effort for way too little reward. As Phil suggests, people who have no reason to be targeted should worry more about thieves, fraudsters, and scam artists looking for easy payoffs.
  • Right, the more fundamental part is the exposure to Amazon's snooping and tracking that is the product feature. Remember, the only data that cannot be abused is the data not disclosed.
  • If Amazon and Google listening in on you 24/7 doesn't bother you, why would it bother you that a hacker is doing the same thing? An echo or Home in your house is a travesty for personal privacy. Some things aren't worth convenience.
  • I don't disagree with you about the privacy issues, but I think the difference is what a potential eavesdropper other than Amazon or Google might do. Those two companies likely aren't going to steal your identity so they can open accounts in your name and/or drain your bank account. Also, they aren't going to try to blackmail you with sensitive personal information that they might overhear.
  • UPS delivery..."I don't remember ordering the new Pixel 2".... ..A ding can be heard from within the box.. "That's odd". You open the box and your Gmail is preloaded with one new email.. Dear John,
    I couldn't help but overhear you the other day while I was sitting on your shelf. I'm sorry you secretly hate your wife's chicken recipe, you know that's her favorite as it's been passed down a long time according to my searches on your family history..
    I hope you enjoy your new phone, John. Sincerely;
    Google Home
  • The Echo and Google Home don't send anything to the Internet if the hot word isn't uttered. They aren't broadcasting everything 24/7 as you imply.
  • Says you. Have you seen the code?