Say what? Amazon Echo's smart speaker can be hacked, expert claims

A security expert claims hackers could turn the Amazon Echo into a covert microphone.

MWR Info Security researcher Mark Barnes was able to hack the smart speaker, letting him hear an audio stream of everything the device hears, in addition to letting him take control of it.

"The Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering," Barnes wrote in a blog post, announcing his findings. "Such malware could grant an attacker persistent remote access to the device, steal customer authentication tokens, and the ability to stream live microphone audio to remote services without altering the functionality of the device."


Barnes was able to initiate the hack by peeling off the rubber base of the Echo and exposing a grid of electrical contacts. From there, Barnes was able to watch the Echo turn on, figure out its configuration and insert software that took control of the device.

Though Barnes describes hacking the device is "trivial," a potential hacker would need physical access to the device, which the researcher describes as "a major limitation."

The 2015 and 2016 versions of the Echo are susceptible to the hack, while the 2017 edition is not, Barnes added.

Amazon has worked with major hotel chains, including the Wynn Las Vegas, to put the Amazon Echo in hotel rooms.

In a statement to Fox News, an Amazon spokesperson said,“Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”

Barnes added that the Echo device does include a mute button which allows users to disable the microphone so that sensitive information is not picked up. "Although the Echo brings about questions of privacy with its 'always listening' microphones, many of us walk around with trackable microphones in our pockets without a second thought," the researcher wrote.


The findings come at a time when the U.S. government is working to try to protect the so-called "internet of things" and make it more secure.

A bipartisan group of U.S. senators is planning to introduce legislation to address these types of vulnerabilities, according to Reuters. The bill would require devices that connect to the internet, such as smart speakers, refrigerators, televisions and other everyday objects to ensure their devices can be patched and meet safety and security standards.

"While government Internet of Things devices are one threat vector, in the coming years we will need guidelines to direct how data is protected in the vendor’s ecosystem, like children’s toys, or devices that are not regularly connected to the internet, like video cameras," Michael Daly, CTO, Raytheon Cybersecurity & Special Missions told Fox News via email. "It is critical for government and consumers that we address new vulnerabilities as the threat landscape rapidly expands."

The bill is being sponsored by Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden.

The Echo responds to voice commands such as "Alexa, tell me what time it is" or "Alexa, tell me the news." Since being unveiled in the U.S. in June 2015, there are more than 15,000 "skills" (akin to apps on a smartphone) for the Echo and it has become one of Amazon's hottest selling products.


At its most recent Prime Day holiday, Amazon said members of its $99-a-year service, Amazon Prime, purchased "seven times more Amazon Echo devices globally than on Prime Day 2016."

Amazon has not broken out exact sales figures for the device. However, a survey by Consumer Intelligence Research Partners estimates Amazon has sold more than 10 million Echo devices in the U.S.

Follow Chris Ciaccia on Twitter at @chris_ciaccia

This story has been updated to include Amazon's statement and comments from Raytheon CTO.