New research has revealed that the 2015 and 2016 models of the Amazon Echo feature security vulnerabilities that can be exploited by hackers to turn them into spying tools.
Security vulnerabilities in the 2015 and 2016 models of the Amazon Echo cannot be patched by software updates, leaving them vulnerable forever.
This major security flaw was revealed by security researcher Mark Barnes at MWR InfoSecurity via a blog post published yesterday. According to Barnes, a hacker can ‘gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering’.
This way, the hacker can gain remote access to an Amazon Echo device, stream live microphone audio to remote services without alerting users and steal customer authentication tokens. The said vulnerability is present in both 2015 and 2016 models of the Amazon Echo.
What’s worse is that the said vulnerability cannot be patched using software upgrades, thus leaving the devices vulnerable for eternity. Barnes said that this is due to the fact that the vulnerabilities occurred because of a couple of design flaws, namely exposed debug pads on the base of the device and a faulty hardware configuration setting which allows the device to boot from an external SD Card.
He added that Amazon fixed both design flaws in the 2017 model of the Amazon Echo so the vulnerability has been contained to the older models. The 2016 models of Amazon Echo devices have their model numbers ending with ’01’ while the 2017 models have their model numbers ending with ’02’.
To give some respite to owners of older Amazon Echo models, Barnes added that to gain root access to these devices, hackers need physical access to them to ensure that their microphones are turned on. To ensure their privacy is not at risk, users can thus prevent hackers from exploiting their speakers by turning off a physical mute button at the top of the devices that disables the microphone.
Considering how expensive it is for manufacturers to initiate product recalls and fix design issues, Barnes suggests that they should give a priority to physical security of IoT devices throughout the development life cycle, including the planning stage.
‘Physical attacks should also be incorporated into any security assessments as early as possible to increase assurance of the product and save money on not having to produce new hardware prototypes later in product development,’ he said.
Motherboard spoke to Amazon following the publication of Barnes’ research findings and found that it is possible for hackers to pre-hack older Amazon Echo models and then sell it on the secondary market. Amazon has thus advised its customers to purchase Amazon Echo devices only from Amazon or a trusted retailer.
“Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date,” the company said.