Amazon Echo Hacked - What are the Implications for Smart Home Devices?
Smart Speakers, such as the Amazon Echo and Google Home, are part of and necessary to the on-going march toward an all-enveloping digital life. However, like with most new technologies, the security and privacy concerns are only beginning to be appreciated.
-- by Arthur J Musgrove
Last Updated: 20/Sept/2018
It seems like security and privacy issues are always playing catch-up with new technologies.
Smart Speakers, along with the Internet of Things (IoT) classes of devices, are
a huge growth market in the march toward an all-envoloping digital life.
Only now are people starting to talk about security of these devices and becoming aware of privacy concerns.
Smart Speakers are always listening. Always. They are designed to only
start actiing after certain keywords, like Alexa or
Ok, Google. Those designs are all in the software, and software
can contain inadvertant mistakes or be maliciously hacked.
Because it is always acting, there is the potential for malicious actors
to use Smart Speakers for eavesdropping or other sorts of malicious
The Echo Hack
Researchers Wu HuiYu and Qian Wenxiang of Tencent in China were able to
hack the Echo for spying. The particular way they did it is not for the
faint of heart, but it demonstrates what is possible for a determined
They took an existing Echo and made software modifications, specifically
to the firmware. To accomplish this, they had to remove the Flash
memory, which involved some soldering to remove the Flash and then
re-attach it after the modification.
They then had their modified Echo join a network with unmodified Echos. This
could be done to any network within Wi-Fi range, which may or may not
require other techniques to gain access. For instance, hotel
networks would be easy to access, making Echos used in hotel rooms
vulnerable to this type of attack.
The modified Echo instructed other, non-modified Echos on the target network
to begin recording and transmitting to the modified Echo, which then
onward transmitted what was recorded. In effect, every Echo on the
compromised network became a spy station.
The Mirai Botnet
As you can see from the above, Smart Home devices can be used for inward
attacks, for instance eavesdropping. These devices can also be co-opted
for outward attacks.
The first major example of this is the
Mirai compromised insecure IoT devices and co-opted them into a
Distributed Denial of Service (DDoS) botnet. Mirai was a fast-infecting
piece of malware tht ultimately infected tens of thousands of
devices tht were later used in a successful DDoS attack in Sept 2016.
Smart Speakers are always listening, and they are increasing controlling
devices in the home. These are key selling points of these
devices, but they also make them tempting targets for malicous
actors, whether individuals, hacking collectives, criminals
or nation-states wish to spy on its citizens.
Going forward, makers of these devices should pay even greater attention
than they do to security and privacy, and consumers should be educated
on pitfalls of these devices. At some point, education in the marketplace
will hopefully lead to an acceptable compromise between
conveince & functionality on one side
and security & privacy on the other.
Regulators at some
point will surely step in to protect citizens, or perhaps for
more nefarious reasons to enable monitoring of citizens. Remember the Clipper Chip?
All views expressed in this article are my own and do not represent the
opinions of any other entity whatsoever with which I have been, am now
or will ever be affiliated. No assurance of accuracy is given and
any use of any information provided is entirely at your own risk. The
author assumes no responsibility or liability for any errors or
omissions in the content of this article. No infomration provided is intended
to be a source of investment advise or credit analysis with respect to
any material presented or otherwise. Nothing contained in this article
is intended to defame or harm any person, business or other entity.
The author retains sole and exclusive
ownership of all material herein.