Consumers who rushed to buy an Amazon Echo in 2015 or 2016 may be at risk of having their conversations and commands recorded.
According to a report from the Verge, hackers have recently discovered a vulnerability in the device that can turn it into a live microphone. Researcher Mark Barnes says that the attack is limited because it requires physical access to the device. However, he points out that product developers shouldn’t take it for granted that customers won’t expose their devices to uncontrolled environments.
“The Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering,” he said. “Such malware could grant an attacker persistent remote access to the device, steal customer authentication tokens, and the ability to stream live microphone audio to remote services without altering the functionality of the device.”
A live microphone
In a blog post detailing how the attack works, Barnes explains how hackers who gain access to an Echo can rewrite the device’s firmware to send all captured audio from the microphone to a third party, with consumers being none the wiser.
After the changes have been made, the Echo is able to function normally and gives no indication that it has been tampered with. Luckily, the attack only works on 2015 and 2016 models, since changes to the internal hardware of the 2017 model effectively make the hack impossible.
However, Barnes says that the 2015 and 2016 models will likely always be vulnerable to the exploit at a software level. That’s bad news for the owners of nearly 7 million affected devices that were bought over a two-year span. In a statement, Amazon stressed how important it is for consumers to make sure their devices remain updated.
“Customer trust is very important to us,” the company said in a statement. “To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”
What to do
Barnes says that consumers can identify if their device is vulnerable by checking the Echo’s original pack for a 2017 copyright and a model number that ends in “02”. Any devices that do not meet these criteria are potentially at risk.
If you own one of these vulnerable Echo devices, Barnes points out that there are steps you can take to ensure that your voice isn’t being recorded without your knowledge.
“The Amazon Echo does include a physical mute button that disables the microphone on the top of the device or can be turned off when sensitive information is being discussed (this is a hardwire mechanism and cannot be altered via software),” he said.