Smart home speakers equipped with microphones programmed to listen for everything you say may be turned into devices that would spy on everything you say. Gadgets like Amazon Echo and Google Home are programmed to record your commands, but they’re also programmed to ignore everything you say unless you use a hot word to activate the assistants.
But as it turns out, someone with physical access to an Amazon Echo device could hack it to send everything it hears to a remote server.
There’s good and bad news about this Amazon Echo hack, MWR Security researcher Mark Barnes explained in a blog post.
First of all, you have to have actual access to the device to mess with its hardware. Then, you have to make sure it’s either a 2015 or 2016 model, as brand new Echo versions can’t be hacked similarly.
But if these conditions are met, then a hacker can quickly take the Echo’s base apart and load on it custom firmware that will instruct it to record everything spoken around it. That data can then be sent out to a remote server. That’s what Barnes did in his security tests.
Hacking a home speaker may be the best way to spy on certain targets, even if this implies infiltrating their homes to actually mess with the hardware.
Amazon, meanwhile, told BBC that “customer trust is very important.” The company also advised against buying used devices. “To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”
If you were to buy a second-hand speaker, then you’d better make sure it’s a 2017 device or later.
You can read Barnes’ full report at this link.