Amazon Echo can be hacked to steal 'sensitive information'

Amazon's Echo smart speaker can be hacked into, enabling cyber criminals to eavesdrop on private conversations and steal user information, a researcher has discovered.

Mark Barnes, a researcher at MWR Labs, says the speaker is "vulnerable to a physical attack" that could allow a hacker to install malicious software and gain "remote access to the device."

He says that hackers could "stream live microphone audio" from the device without the user knowing.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

The security flaw is found in "ports used to debug the device", says the Daily Telegraph, and these are hidden underneath a flap on the base of the speaker.

"Hackers could attach a malicious storage card to these without the user knowing that would give them access to the operating system of the Echo", adds the paper. If that were to happen, hackers could "see an owner's Amazon credentials" or "steal sensitive information".

But The Verge reports that only Amazon Echo devices bought between 2015 and 2016 are vulnerable as this year's model features hardware alternations that make the hacking method in its current guise impossible.

A hacker would also need to physically insert an SD storage card into the device to gain access to it, says the BBC, making it very difficult to carry out an attack.

Users who take their devices with them on holidays or business trips could find themselves exposed to hackers, the broadcaster says, while second-hand devices "may also be compromised in some way.

Despite the Echo bringing "questions of privacy with its always listening microphones", Barnes argues that "many of us walk around with trackable microphones in our pockets without a second thought."

He concludes by saying that "product recalls and modifications can be expensive in post production", and suggesting that physical attacks should be incorporated into "any security assessments" on home devices "as early as possible".