Smart speakers need to be able to listen, but this two-way channel can lead to interesting exploits and attacks.
When voice-based home assistants such as the Amazon Echo and Google Home first appeared in the market, worries surfaced that such devices may be harnessed as a surveillance weapon.
This concern still lingers, especially as these smart speakers are constantly being updated and becoming smarter through improved voice recognition technology, artificial intelligence (AI), apps, and Internet of Things (IoT) device control.
As smart home assistants become the hub for daily tasks, home appliance control, task and calendar management, security has become paramount.
Companies such as Amazon and Google understand the need, as severe security vulnerabilities or attacks on consumers could be seriously detrimental to the adoption of Amazon Echo and Google Home, as well as batter their respective reputations.
As such, there have been few reports of firmware-based security flaws which can be compromised — although malicious Amazon Alexa Skills were the subject of proof-of-concept (PoC) attacks earlier this year and a bug was disclosed in Google Home which revealed user GPS details.
Outright surveillance through audio has not been an issue.
However, researchers have now demonstrated ways in which smart speakers can be tampered with to spy on their users.
Speaking at Defcon in Las Vegas on Sunday, Tencent Blade researchers Wu Huiyu and Qian Wenxiang said that such security concerns are “necessary” especially in light of how vulnerabilities can be utilised to compromise these devices.
Yet, throwing out your smart speaker or panicking isn’t necessary as the new technique is technically very difficult and requires stringent conditions to pull off.
As reported by Wired, the researchers took an Amazon Echo and modified the device. A number of components which were soldered on, such as its flash memory, were removed.
The chip was then flashed and given new firmware which granted root access before being re-soldered into the Echo.
It took several months, but Tencent was able to find a number of vulnerabilities in the Alexa interface of Amazon.com. According to the publication, these bugs included cross-site scripting (XSS), URL redirection, and HTTPS downgrade attacks.
These bugs could be utilised in an attack chain to connect the altered Echo with a victim’s Amazon account.
The next step requires both the hacked Echo and target Echo to be active on the same Wi-Fi network. This would require the attacker to know the login credentials of the network, or alternatively, a brute-force attack would need to uncover the Wi-Fi password.
If this connection is established a software component called the Whole Home Audio Daemon can be compromised through a bug which permits attackers to gain remote control of the speaker and play any sound they choose or silently record audio which could, in theory, be transmitted away and to threat actors.
The researchers notified Amazon of their findings and all of the vulnerabilities mentioned have now been patched.
While few threat actors would necessarily go so far even if the attack chain was still possible to compromise a speaker, the findings do highlight the fact that vulnerabilities in Echo devices may be a real threat to the future of smart devices and IoT gadgets in the future.