Arthur Musgrove Home

Amazon Echo Hacked - What are the Implications for Smart Home Devices?

Synopsis: Smart Speakers, such as the Amazon Echo and Google Home, are part of and necessary to the on-going march toward an all-enveloping digital life. However, like with most new technologies, the security and privacy concerns are only beginning to be appreciated.

Last Updated: 20/Sept/2018

Overview

It seems like security and privacy issues are always playing catch-up with new technologies. Smart Speakers, along with the Internet of Things (IoT) classes of devices, are a huge growth market in the march toward an all-envoloping digital life. Only now are people starting to talk about security of these devices and becoming aware of privacy concerns.

Smart Speakers are always listening. Always. They are designed to only start actiing after certain keywords, like Alexa or Ok, Google. Those designs are all in the software, and software can contain inadvertant mistakes or be maliciously hacked.

Consider the case of the Portland, Oregon couple who accidentally had their private conversation recorded and transmitted by an Echo. In this case, because the Echo is always listening, it acted on a series of co-incidental keywords. While this incident was unintended, this shows that the device is always listening whether it is acting or not. It is just choosing not to act on words when it isn't in 'active mode'.

Because it is always acting, there is the potential for malicious actors to use Smart Speakers for eavesdropping or other sorts of malicious activity.

The Echo Hack

Researchers Wu HuiYu and Qian Wenxiang of Tencent in China were able to hack the Echo for spying. The particular way they did it is not for the faint of heart, but it demonstrates what is possible for a determined attacker.

They took an existing Echo and made software modifications, specifically to the firmware. To accomplish this, they had to remove the Flash memory, which involved some soldering to remove the Flash and then re-attach it after the modification.

They then had their modified Echo join a network with unmodified Echos. This could be done to any network within Wi-Fi range, which may or may not require other techniques to gain access. For instance, hotel networks would be easy to access, making Echos used in hotel rooms vulnerable to this type of attack.

The modified Echo instructed other, non-modified Echos on the target network to begin recording and transmitting to the modified Echo, which then onward transmitted what was recorded. In effect, every Echo on the compromised network became a spy station.

The Mirai Botnet

As you can see from the above, Smart Home devices can be used for inward attacks, for instance eavesdropping. These devices can also be co-opted for outward attacks.

The first major example of this is the Miria botnet. Mirai compromised insecure IoT devices and co-opted them into a Distributed Denial of Service (DDoS) botnet. Mirai was a fast-infecting piece of malware tht ultimately infected tens of thousands of devices tht were later used in a successful DDoS attack in Sept 2016.

Conclusion

Smart Speakers are always listening, and they are increasing controlling devices in the home. These are key selling points of these devices, but they also make them tempting targets for malicous actors, whether individuals, hacking collectives, criminals or nation-states wish to spy on its citizens.

Going forward, makers of these devices should pay even greater attention than they do to security and privacy, and consumers should be educated on pitfalls of these devices. At some point, education in the marketplace will hopefully lead to an acceptable compromise between conveince & functionality on one side and security & privacy on the other.

Regulators at some point will surely step in to protect citizens, or perhaps for more nefarious reasons to enable monitoring of citizens. Remember the Clipper Chip?