Researchers Find Way To Hack, Remotely Listen To Amazon Echo

Smart speakers like Amazon Echo and Google Home represent potentially massive security problems, but until now, those problems have mostly only existed in theory. However, a team of researchers from the massive Chinese conglomerate Tencent recently found a way to listen to what an Echo device hears remotely, Wired reported.

The plan requires technical expertise and has at least one serious limitation, but Tencent’s Blade research team showed that it is theoretically possible to target an Echo device over an internet network.

Basically, the hackers physically altered their own Echo device by taking out a chip and putting their own firmware on it. After reinstalling it and rebuilding the Echo, they can take advantage of several security holes in Amazon’s Echo programming to target another user’s Echo device and listen in remotely.

A hacker who successfully pulled this off would not only have access to secret audio surveillance, but could even play whatever audio they wanted through small speaker device.

There are multiple serious limitations with this plan, however. First, Amazon has already patched all of those holes, since the Blade team reported their findings to Jeff Bezos’ tech giant before publicly revealing the hacking technique. Second, even if Amazon had not fixed anything, it would have required the hackers to put their altered Echo on the same wi-fi network as the one they were targeting.

The hackers claim they can make the necessary physical tweaks to an Echo within 15 or 20 minutes, opening up possibilities for physical hacks. Former NSA hacker Jake Williams told Wired that a fully remote Echo hack has a high degree of difficulty that might make it unlikely to happen anytime soon.

Smart speakers only accept commands that follow greetings like “Hey Alexa,” but they still pick up all the sound around them. This has led to privacy concerns in the few years that these devices have been on the market. Both Echo and Home archive every voice command the user makes for listening afterward, which will remain until users manually erase them.

Echo’s ability to violate privacy made waves back in May when an Oregon family unknowingly had an entire conversation recorded and then sent to a contact. At the time, Amazon promised that was not supposed to happen and would be fixed.