Hacked Amazon Echo turned other Echoes on same Wi-Fi network into covert listening devices

A pair of Chinese hackers have successfully turned the Amazon Echo smart speaker into a spy bug which can covertly listen to a victim's private conversations, save the recordings, and send them to malicious parties.

However, while this is likely one of the biggest fears of smart speaker owners, the hack required access to the victim's Wi-Fi network and was patched by Amazon with a software update before being made public this week.

Read More:

The attack, orchestrated by cybersecurity researchers Qian Wenxiang and Wu Huiyu, was demonstrated on stage at Defcon on Sunday (August 12). The grande finale of the attack, which took advantage of "multiple vulnerabilities" saw the hackers take control of what the smart speaker said through its Alexa AI, and enabled the device's microphones.

This is far from the first time that smart speakers have been targeted by security researchers keen to flag up potentially invasive vulnerabilities. In April this year, a seemingly innocent calculator skill caused Echo devices to keep listening after they had finished speaking. In 2017, a researcher discovered how to turn older Echo devices made in 2015 and 2016 into spying bugs.

To perform the most recent attack, the researchers — from the Blade division of Chinese tech company Tencent — first had to buy their own Amazon Echo, then open it up, remove the flash chip, write a custom firmware and install this onto the chip, then solder it back onto the device.

This modified Echo speaker was then able to attack other Echo devices connected to the same network — Echo devices which had not been modified by the researchers. The device did this by taking advantage of now-patched vulnerabilities in the Alexa interface on Amazon's website.

The hack, which has been patched by Amazon, was explained at DefconAmazon

The next step, explained by the researchers to Wired, involved connecting the modified Echo to a victim's Wi-Fi network. This could be done by sitting nearby and using a brute-force attempt to guess the password, or by someone tricking the victim into adding it to the network themselves - gifting it to them, for example.

Once on the network, the modified Echo took advantage of vulnerabilities in Amazon's Whole Home Audio Daemon, which the smart speakers use to communicate with each other. This is what the researchers then used to take control of the victim's own Echo devices — not the modified speaker, but box-fresh examples on the same network. This gave them full control of the target device, including the ability to open its microphone and transmit recordings to the cloud.

Naturally, the complexity of such an attack means that — even if Amazon had not patched it — regular consumers are very unlikely to have fallen victim to it. But high-value targets could have made the complex process worthwhile for attackers who wanted to record a specific person of interest or sensitive conversation, for example.

Amazon said in a statement that its customers "do not need to take any action as their devices have been automatically updated with security fixes."

(Check out The GearBrain, our smart home compatibility checker to see the other compatible products that work with Amazon Alexa.)