With the push of companies launching their virtual assistants (VAs), security should always be a concern since these things are mass-produced on a large scale. A small security loophole could put thousands or even millions at risk, whether it be Google Home or Amazon’s line of Alexa-equipped devices. Since they’re all connected to the internet at all times, it enables hackers to potential siphon information about the data it collects and can be exploited.
A hack was demonstrated at Def Con 26, where hackers used multiple vulnerabilities to demo how the Echo could be used as an eavesdropping device:
“In this talk, we will present how to use multiple vulnerabilities to … remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we’re also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice.”
For the plain-English person, this roughly translates to tweaking Alexa’s onboard firmware content in order to use it to spy on its surroundings. it can listen silently, be controlled to speak, and have the speech module overwritten from a remote location. this means a hacker could potentially hack into an Echo device and force it to speak or listen to its environment and relay the sounds back to the hacker’s computer.
As companies jump onboard the VA bandwagon, security is an issue that needs to be addressed. Simply having it in the household doesn’t mean it’s safe from hacking and vulnerabilities. Companies that are new to the scene like Facebook, who plans to launch their own version of a smart speaker very soon, will only create more demand for these types of products, which means a larger audience to safeguard from hacks and a more appealing target for hackers to bypass the security.
Although Amazon’s Alexa already listens to what its users say, it follows and purges in a timed interval (trailing five seconds after its name), unlike this hack which actually relays the information without a purge.
Amazon has fixed and patched the security issue that was demonstrated with a patch and quickly resolved.
Image via Amazon.