Personal Assistant Device

Amazon Echo 1st Generation

vpn-mentor-icon

vpn-mentor-icon

Device Safety

vpn-mentor-logo

Very Unsafe

Not Safe

Safe

Very Safe

vpn-mentor-icon

Product

Amazon Echo 1st Generation

vpn-mentor-icon

Camera

No

vpn-mentor-icon

Microphone

No

vpn-mentor-icon

Connectivity

Wi-Fi

vpn-mentor-icon

Material

Metal

Overview

Our hacking team tested one of the most popular personal assistant devices on the market, the Amazon Echo. Known for its intuitive design and complex functionality, the 24/7 listening function of the device provides users with the ability to control their smart gadgets with a simple verbal command, making everyday tasks simpler. But does it also open you up to hackers?

Tactics

Taking into consideration the non-stop listening feature, the hackers focused their efforts on gaining full control over the device. Further research revealed a critical vulnerability related to the hardware design of the product. The sensitive debugging pads are easily accessible through the base of the device and configuration settings allow the personal assistant to boot from an external source. In other words, if someone has access to the base of your device they can manipulate the Echo and use it to listen in on your family.

Exploitation

Starting the device from a specially crafted SD card allowed our team to gain administrative control over the underlying operating system and install malicious software without leaving physical evidence of tampering making spotting that the device has been tampered with particularly difficult.

Once installed, this malware could grant an attacker persistent remote access to the device, the ability to steal customer authentication tokens and the power to stream live microphone audio without altering the functionality of the device. As a result, hackers could listen in to your family without you ever being aware.

Recommendations

Users can follow a set of simple rules in order to ensure security best practices have been met:

- Buy your smart gadget from an officially certified source; second hand devices are particularly vulnerable to this attack.

- Always perform open source research through reliable search engines (e.g. Google, Bing, etc.) on possible vulnerabilities identified for the smart device in which you are interested.

- Be aware of any signs of physical intervention with the product.

- Stay up-to-date with the latest news around your device.

- Directly address the seller if you or someone else has identified any major misconfiguration.