INSUBCONTINENT EXCLUSIVE:
Hackers at DefCon have exposed new security concerns around smart speakers
Tencent Wu HuiYu and Qian Wenxiang spoke at the security conference with a presentation called Breaking Smart Speakers: We are Listening to
You, explaining how they hacked into an Amazon Echo speaker and turned it into a spy bug.
The hack involved a modified Amazon Echo, which
had parts swapped out, including some that had been soldered on
The modified Echo was then used to hack into other, non-modified Echos by connecting both the hackers& Echo and a regular Echo to the same
LAN.
This allowed the hackers to turn their own, modified Echo into a listening bug, relaying audio from the other Echo speakers without
those speakers indicating that they were transmitting.
This method was very difficult to execute, but represents an early step in exploiting
Amazon increasingly popular smart speaker.
The researchers notified Amazon of the exploit before the presentation, and Amazon has already
pushed a patch, according to Wired.
Still, the presentation demonstrates how one Echo, with malicious firmware, could potentially alter a
group of speakers when connected to the same network, posing concerns with the idea of Echos in hotels.
Wired explained how the networking
feature of the Echo allowed for the hack:
If they can then get that doctored Echo onto the same Wi-Fi network as a target device, the
hackers can take advantage of a software component of Amazon speakers, known as Whole Home Audio Daemon, that the devices use to communicate
with other Echoes in the same network
That daemon contained a vulnerability that the hackers found they could exploit via their hacked Echo to gain full control over the target
speaker, including the ability to make the Echo play any sound they chose, or more worryingly, silently record and transmit audio to a
faraway spy.
An Amazon spokesperson told Wired that &customers do not need to take any action as their devices have been automatically
updated with security fixes,& adding that ''this issue would have required a malicious actor to have physical access to a device and the
ability to modify the device hardware.
To be clear, the actor would only need physical access to their own Echo to execute the hack.
While
Amazon has dismissed concerns that its voice activated devices are monitoring you, hackers at this year DefCon proved that they can.
