Chinese hackers turn Amazon’s Echo speakers into spies

Avatar By Le Williams | 2 years ago

At the DefCon security conference Sunday, researchers Wu Huiyu and Qian Wenxiang plan to present a technique that links a series of bugs in Amazon’s second-generation Echo to take over the devices and stream audio from its microphone to a remote attacker.

A group of Chinese hackers has spent several months refining a new technique for hijacking Amazon’s voice assistant gadget, providing insight into the probable methods that can be used to facilitate a surveillance hack.

The group informed Amazon to their conclusions, resulting in the company implementing security fixes in July.

“After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and [achieve] remote eavesdropping,” reads a description of their work provided to WIRED by the hackers, who work on the Blade team of security researchers at Chinese tech giant Tencent. “When the attack [succeeds], we can control Amazon Echo for eavesdropping and send the voice data through network to the attacker.”

The researchers’ repaired attack illustrated how hackers can combine a malicious collection of schemes to create an intricate multistep penetration technique that works against a relatively secure gadget, such as the Echo.

“They start by taking apart an Echo of their own, removing its flash chip, writing their own firmware to it, and re-soldering the chip back to the Echo’s motherboard. That altered Echo will serve as a tool for attacking other Echoes: Using a series of web vulnerabilities in the Alexa interface on that included cross-site scripting, URL redirection, and HTTPS downgrade attacks—all since fixed by Amazon—they say that they could link their hacked Echo with a target user’s Amazon account”, explains Wired.