SINCE Savvy SPEAKERS like the Amazon Echo initially started to show up in homes over the world, the security network has come to consider them to be an ideal objective. In any case, that danger has remained generally theoretical: No Amazon Echo malware has showed up in the wild, and even verification of-idea assaults on the gadgets have stayed unfeasible, best case scenario.

Presently, one gathering of Chinese programmers or hackers has invested months building up another strategy for commandeering Amazon's voice collaborator device. It's still hardly a full-blown remote takeover of those smart speakers. But it may be the closest thing yet to a practical demonstration of how the devices might be silently hijacked for surveillance.

When the attack [succeeds], we can control Amazon Echo for eavesdropping

At the DefCon security conference Sunday, researchers Wu Huiyu and Qian Wenxiang plan to present a technique that chains together a series of bugs in Amazon's second-generation Echo to take over the devices, and stream audio from its microphone to a remote attacker, while offering no clue to the user that the device has been compromised.

Reverberate proprietors shouldn't freeze: The programmers as of now cautioned Amazon to their discoveries, and the organization pushed out security settles in July. Indeed, even before at that point, the assault required some genuine equipment abilities, and additionally access to the objective Reverberate's Wi-Fi organize—a level of trouble that presumable means it wouldn't be utilized against the normal Amazon Echo proprietor. Be that as it may, the exertion in any case reveals new insight into how a Reverberate listening in method may conflict with a high-esteem target.

“After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and [achieve] remote eavesdropping,”

“When the attack [succeeds], we can control Amazon Echo for eavesdropping and send the voice data through network to the attacker.”

A Potential To Listen Already Built-In

Since Amazon Echo is a smart speaker capable of voice interaction, the ability to listen to human voices is already built-in to the device, and forms an integral part of its operation and purpose.

And in addition music playback, making daily agendas, setting alerts, gushing web recordings, playing book recordings and so on., the Reverberate can likewise control a few savvy gadgets when utilized as a home mechanization center. This adds to its capability of getting to be another person's mystery individual listening/spying gadget if hacked.

Installing Malware On The Echo

Mr Barnes has been reported as saying that anyone could install malware on an Echo, and that taking over the device was “trivial” as long as the hacker had easy physical access to it.


How Is It Done?

no comment as yet from Amazon


Such a hack is made possible by peeling off the rubber base of the Echo to expose a grid of electrical contacts, and then by connecting to one of the contacts to observe the boot-up procedure and work out how the device is configured.

Armed with this knowledge, software loaded on a small memory card can then be connected to one contact pad, and can thereby give a person control over the device. From this stage, how the audio is handled can be studied, and an attack code can then be created which forwards everything that the device hears to a remote server.

The method of attack is not exactly simple, though. It required acquiring and physically modifying an Echo speaker by removing the embedded flash chip so the hackers could write their own custom firmware to it, and then soldering it back into place. Once modified, the Echo smart speaker acted as a malicious tool for hacking other Echo speakers.
Even then, there are hoops to jump through. The modified Echo has to be on the same Wi-Fi network as the target speaker. If an attacker can accomplish all that, they can then leverage a series of web exploits in the Alexa interface, including cross-site scripting, URL redirection, and HTTPS downgrade attacks.
There is no reason to be worried about this specific method being used in the wild. The researchers presented their findings to Amazon, which in turn has already pushed out fixes to patch the security holes that made this type of attack possible.

No Remark From Amazon

Despite the claims being widely reported online, there has been no comment as yet from Amazon (at the time of writing this article).

What Does This Mean For Your Business?

This story highlights how many of the existing fears about the vulnerability of smart devices are still very much present, and how a device that is designed to listen anyway could pose even more of a risk.

Security fears are nothing new, and usually focus on how devices could be taken over and used against us due to customers not changing the default passwords that the devices come with. What makes the fears about this story more real is that reports indicate that the researcher has actually tried it and succeeded.

For businesses that develop these products, apart from the initial bad PR, the finding of security holes by security professionals could actually allow them to address security flaws early on, and prevent an even worse, more costly situation e.g. malicious hackers finding the flaw and launching attacks on customers.

An example of an exploitable fault discovered in household devices happened back in June, when all Virgin Super Hub 2’ and ‘Super Hub 2 AC’ routers (made by Netgear) were found to have exactly the same private encryption key. These standard home routers are used by one of the UK’s largest ISPs, and are used in millions of homes (and small businesses) across the UK. Having a common security flaw in all of them, which could be exploited by cyber criminals using a relatively low-tech approach and low cost method represented a major potential security risk and for millions of people. Virgin Media were then forced to develop and distribute a security patch.

Security is likely to be a major concern for quite some time yet as it has not been effectively addressed in the marketplace, so this story about potential security flaws in a popular device is likely to be one of many going forward.

What do you think?

Did you get Amazon Echo? how do you feel about the Echo now?
User Review
0 (0 votes)

Be the first to comment

Leave a Reply

Your email address will not be published.