New research, released today by MWR InfoSecurity, reveals how the team have successfully compromised the Amazon Echo by exploiting a vulnerability in the device to turn it into a ‘wiretap’, without affecting its overall functionality. Found to be susceptible to a physical attack, which allows an attacker to gain a root shell on the Linux Operating Systems and install malware, the Amazon Echo would enable hackers to covertly monitor and listen in on users and steal private data without their permission or realisation.

By removing the rubber base at the bottom of the Amazon Echo, the research team could access the 18 debug pads and directly boot into the firmware of the device, via an external SD card, and install persistent malware without leaving any physical evidence of tampering. This gained them remote root shell access and enabled them to access the ‘always listening’ microphones.

Following a full examination of the process running on the device and the associated scripts, MWR’s researchers investigated how the audio media was being passed and buffered between the processes and the tools used to do so. They then developed scripts that leveraged tools embedded on the device to stream the microphone audio to a remote server without affecting the functionality of the device itself. The raw data was then sampled via a remote device, where a decision could then be made as to play it out of the speakers on the remote device or save the audio as a WAV file.

The vulnerability has been confirmed to affect the 2015 and 2016 editions of the device. The 2017 edition of the Amazon Echo is not vulnerable to this physical attack. The smaller Amazon Dot model also does not carry the vulnerability.

Mark Barnes, Security Consultant at MWR InfoSecurity comments: “The rooting of the Amazon Echo device in itself was trivial; however, it raises a number of important questions for manufacturers of Internet enabled or ‘Smart Home’ devices. The biggest limitation of this vulnerability is the need for physical access to the device itself, but it shouldn’t be taken for granted that consumers won’t expose the devices to uncontrolled environments that places their security and privacy at risk.

“What this research highlights is the need for manufacturers to think about both the physical and digital security risks that the devices may be subjected too and mitigate them at the design and development stage. Whilst Amazon has done a considerable amount to minimise the potential attack surface, these two hardware design choices – the unprotected debug pads and the hardware configuration setting that allows the device to boot via an external SD card – could expose consumers to an unnecessary risk.”

To mitigate the risk posed, MWR InfoSecurity provides the following recommendations:

• Use the mute button - the Amazon Echo does come with a physical mute button that disables the microphone on the top of the device or can be fully turned off if sensitive information is being discussed
• Monitor for any unusual activity – Whilst this vulnerability is undetectable on the physical device, it is possible to monitor the network traffic and look for any anomalous activity. This could indicate a compromise.
• Purchase directly from Amazon or trusted retailers– As this vulnerability can only be exploited once an attacker has physical access to the device, buying an Amazon Echo second-hand could expose users to the potential purchase of a tampered device.

Following MWR InfoSecurity’s full disclosure of the vulnerability to Amazon, the company has issued the following recommendation: "Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”

To read the full details on how the MWR InfoSecurity team discovered and exploited the Amazon Echo vulnerability, please click HERE.