During the DefCon security conference on Sunday, researchers Wu Huiyu and Qian Wenxiang, who work for Chinese tech company Tencent, revealed they had spent months trying to develop a technique that would hijack the Amazon voice assistant.
The researchers removed the flash memory chip and modified the firmware and then reattached the parts back onto the circuit board, connecting it back on the same Wi-Fi as the other devices that were not tampered with.
This move gave the team the ability to record anything and play any sound they wanted, without any indication of foul play from the device.
Now, before you get worried and throw your Amazon Echo out the window, you have to understand that breaching the device is not that easy and it also requires some serious hardware skills.
To start with, the hackers would need to disassemble the Echo first and then connect it to a network with other Echo speakers. From there on, the Echo that has been tampered with would attack the others by using a series of online vulnerabilities in the device’s interface that involves cross-site scripting, URL redirection and HTTPS downgrade attacks, to name a few.
The process is probably too complicated for our untrained ears but what I can tell you is that it takes time and it takes effort, so no reason for this kind of hacking to be used just for fun and games on your average Echo user with a 9 to 5 job.
If anything, a breach like this would happen in spaces such as hotels, where a hacker could both stay without calling on to much attention on them and also where a number of smart speakers could be found.
Besides, the researchers notified Amazon long before DefCon and, in the meantime, Amazon pushed in additional security measures sometime in July.
So step away from the window, put the Echo down and ask it to play some music. All is well.