Hardware hack turns Amazon Echo into a bugging device
This is mildly terrifying. 2015 and 2016-made Amazon Echo can have malware installed via a hardware hack:
Barnes executed the attack by removing the bottom of the smart speaker and exposing 18 "debug" pads, which he used to boot directly into the firmware with an external SD card. Once the hack is complete, the rubber base can be reattached, leaving behind no evidence of tampering.
With the malware installed, Barnes could remotely monitor the Echo's "always listening" microphone, which is constantly paying attention for a "wake word." (The most popular of these is "Alexa.") Barnes took advantage of the same audio file that the device creates to wait for those keywords.
While the Motherboard article tries to reassure us that the hack is unlikely to be exploited, because it requires physical access, that presumes that all Echos are in use in homes. And they're not:
Wynn Las Vegas just announced that it’ll be putting the Echo in all 4,748 of its hotel rooms by this coming summer. Alexa will let guests control room lights, room temperature, drapery, and the television using voice commands.
Even worse, this hack can't be fixed by a software update. The always-listening speaker in your hotel room just became a spy.
Thankfully, devices manufacture this year aren't vulnerable to this – but there are millions of speakers out there that are,