Skip to main content

White-hat Chinese hackers turn Alexa into a spy, briefly

This won’t come as any surprise to those of you who put tape over your laptop’s cameras, but Alexa might not be 100 percent secure. This week at the Def Con Hacking Conference in Las Vegas, researchers from the Chinese conglomerate Tencent Holdings disclosed that they were able to use a modified Amazon Echo to hack into another Echo running on the same network. The researchers were not only able to take full control over the secondary device but also silently record and transmit audio to a third party, essentially turning the smart speaker into great big bugging devices, as reported by Wired.

If you’re feeling the slightest bit paranoid right now, cool your jets. These white-hat hackers have already informed Amazon of the exploit and the company rolled out security fixes last month.

Researchers Wu Huiyu and Qian Wenxiang also explained that their technique involved far more than a straight-up remote hack, fortunately. First, they had to drastically modify a standard Echo by removing a flash memory chip, modify its firmware to get root access, and solder the chip back to the circuit board. Sure, this involves little more than a little engineering knowledge and some things from RadioShack but it’s still not something your average spy is likely to have on hand.

However, once they placed their rogue device on the same network as other Echo devices, they could use Amazon’s proprietary communication protocols plus some undiscovered Alexa interface flaws (address redirection, cross-site scripting, and web encryption downgrades) to gain full access over the device. They could, for a more banal example, play any sound they wanted to. Or, they could silently record and transmit every single sound in the room, including conversations in adjacent rooms.

When we extend the logic, that means that an espionage outfit could simply replace a single Amazon smart speaker in a hotel’s network and take complete command over every smart speaker on the network. Sleep tight.

“After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and [achieve] remote eavesdropping,” the hackers said in a statement to Wired. “When the attack [succeeds], we can control Amazon Echo for eavesdropping and send the voice data through the network to the attacker.”

In addition to noting that the Alexa interface flaws have been patched, Amazon stressed that this particular hack requires a malicious actor to take physical access over at least one device.

This is just the latest in a series of attempts to crack the smart speaker’s security platform. Last year, British hacker Mark Barnes was able to install malware on an Echo via metal contacts accessible under the speaker’s rubber base. The security firm Checkmarx also revealed a potentially dangerous security flaw earlier this year when it hacked Alexa’s recording function via malware on a seemingly innocuous calculator app.

Editors' Recommendations

Clayton Moore
Clayton Moore’s interest in technology is deeply rooted in the work of writers like Warren Ellis, Cory Doctorow and Neal…
The Amazon Echo Hub is almost the whole-home hub I’ve always wanted
Amazon Echo Hub.

I’ve long dreamed about having a proper sort of home hub. One that’s always on, always showing me the things I want to control at any given time. Not huge. Not obtrusive.

The new Amazon Echo Hub, one several new Echo devices announced at Amazon's 2023 devices event at HQ2 in Arlington, Virginia, very much seems to fit that bill. It’s a touchscreen that you’ll use to control all your things.

Read more
At long last, Amazon brings AI features to Alexa
Amazon SVP of Devices and Services Dave Limp demonstrates the Let's Chat feature of Alexa, powered by AI.

Nearly a year after ChatGPT introduced the world to the uncannily human possibilities of generative AI, Amazon has unveiled new Alexa features powered by large language models (LLM). At the annual Amazon Devices Event hosted at its new Arlington, Virginia, headquarters, the company announced some major Alexa improvements that will attempt to make replies much more conversational and lifelike, with less waiting time between your interactions and more meaningful replies.

A new feature called Let's Chat mimics the ChatGPT experience by allowing you to have a fluid conversation with Alexa, asking questions about everything from the voice assistant's football team allegiance to recipes. You can even ask it to write emails for you. In the demo with Dave Limp, outgoing senior vice president of devices and services, Alexa sometimes stalled and needed a second prompt to answer questions, suggesting the feature may still need some polish.

Read more
What is Amazon Alexa, and what can it do?
Echo 4th Gen speaker on table.

Amazon Alexa is an interactive voice assistant that can check the weather, launch your favorite playlist, and everything in between. Alexa can be found on most Amazon products, including the new Echo Pop, the iconic Echo Dot, and even a variety of smart thermostats, soundbars, lamps, and more. Aside from taking basic commands from you, Alexa can also dish out commands to the rest of your connected smart home -- making it easy to streamline your life.

Interested in learning more about Amazon Alexa? Then you’re in the right place. Here’s a closer look at where Alexa comes from, how it works, where it got its name, and just about everything else you’d want to know about the popular voice assistant and smart home savant.
Who/what is Alexa?

Read more