Pre-2017 versions of Amazon Echo can be turned into eavesdropping devices

In August 2017, security researcher Mark Barnes released his analysis on the Amazon Echo, a home assistance device that enables users to voice-control other smart devices. The device listening to your everyday conversations by default can be turned into a wiretap by physically affecting the device without any trace.

The Amazon Echo is a smart wireless speaker enabling customers to use the Alexa Voice service. The device can be used for multiple purposed. It can play music from Amazon Music, Spotify, Pandora and other services using just the customer's voice. The device accepts voice input from across the room with far-fetch voice recognition, even while music is playing. Amazon Echo answers questions, reports news, read audiobooks, and even places online orders if asked. The device comes in handy with its functionality to control lights, thermostats, garage doors, and more with other compatible devices from Sony, Samsung, Nest, and others. The Echo responds to the wake word "Alexa" instantly. It is also possible to place a call to a friend or relative who has an Echo, Echo Show, Echo Dot, or the Alexa App.

Mark Barnes discovered a vulnerability in Amazon Echo devices released before 2017. More specifically, the vulnerability was found in devices issued in 2015 and 2016. The devices can be compromised because of two hardware design choices, which are exposed debug pads that were used to test the device before selling, and hardware configuration setting, which enables the device to boot from a SD card.

Removing the device's rubber base reveals 18 debug pads that are used to perform various diagnostics. The researcher's hack focused on attempting to gain root access to the device via the pads present on the device using the Linux operating system. He connected his device and installed software that records voice and sends audio to his eavesdropping computer. The audio recorded and sent to the server could be played backed on a remote device, allowing the third party to listen in to the conversation. Moreover, Barnes' hack enabled him to spread to other remotely connected devices.

This type of attack on a larger scale would enable penetrators to obtain sensitive information; however, hacking the Amazon Echo device right in your home so that no trace is left would require some time, so this scenario is not likely to happen. However, it is possible to be listened in covertly if you purchase a pre-hacked second-hand device. It is also more likely that someone would attempt to build a hack that instantly compromises the device without soldering and fiddling.

This scheme is quite possible because Amazon reportedly sold over 11 million Echo devices between mid-2015 and December 1st , 2016. The majority of the devices were sold in the U.S., and approximately 400,000 Echoes sold in Germany.

Echo devices made between 2015 and 2016 are likely to remain vulnerable, which is not the case with devices made in 2017. The problem of the prior-2017 models is in the physical characteristics of the hardware.

An Amazon spokesperson admits that customer trust is very important to Amazon and recommends purchasing Amazon devices from Amazon or trusted retailed. Without a doubt, it is necessary to keep software up-to-date. Additionally, data leaks can be prevented by turning off the microphone of the device. If you suspect that someone might be spying on you, simply turn off the device. Lending out the device to others should be also avoided as well as leaving the device in public places such as hotels.