Audio Video News

If you’re already paranoid about always-on smart speakers eavesdropping on conversations, brace yourself: Researchers in the U.K. have discovered a security flaw in Amazon Echo smart speakers sold in 2016 that enable them to be turned on without summoning “Alexa,” according to a report in The Telegraph.

Once hacked, the speaker could be used as a "wiretap" that sends recordings to a remote computer, allowing unsavory characters to listen in on conversations and gain access to the owner's Amazon credentials, the report said.

The flaw was discovered by Mark Barnes of cyber security consultancy MWR InfoSecurity. "Someone could use [the hack] to install malicious software on the device and turn it into a wiretap without the person who owns the Echo knowing," he told The Telegraph.

The security vulnerability affects Echo speakers sold in 2016 and not the newer Echo Dot, according to the report, which said Amazon has fixed the problem in models released in 2017.

From the report:

The hardware vulnerability is found in ports used to debug the device, which are hidden underneath a flap on the base of the speaker. Hackers could attach a malicious storage card to these without the user knowing that would give them access to the operating system of the Echo.

From here, they could infiltrate the user's Amazon account, the apps on the speaker, and the system that is always listens for the wake word, normally "Alexa." The latter would allow them to hear all conversations that happen in the vicinity of the speaker.

"On the base of the Amazon Echo there are 18 pads you can easily access used for debugging the device," said Barnes. "If you attach an SD card to certain parts you're able to reboot the system without it showing you, which gives you access to the device and let's you basically do anything you want."

The hack requires physical access to the Echo, but it is very difficult to see when a device has been tampered with…

MWR advised people who want to buy an Echo to check the date the product was made on the back of the box by the serial number. It said to avoid buying the 2016 device second-hand, in case it has been tampered with, and to check the box for a new product is sealed.

It added customers should mute their devices when they are not in use and to avoid placing the Echo in a public place, such as a hotel room or office.

Amazon said: "To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date."