Yahoo Finance Security flaw in Amazon Echo speakers may have allowed hackers to spy on users
A security flaw in the Amazon Echo smart speaker may have allowed criminals to eavesdrop on private conversations at home, researchers have found.
The always-listening Amazon Echo, which retails at £90, is currently the most popular smart speaker in the UK, making up three quarters of the market. There have been persistent concerns that the devices could be used to spy on users.
Researchers at Chinese tech giant Tencent confirmed these fears at a recent security conference by demonstrating how a doctored Echo speaker can be used to gain access to other Echo devices. Not only could this allow criminals to spy on private conversations, but it could also let them take over the device and play random sounds to terrify users.
The researchers subsequently notified Amazon of the vulnerability, and the company issued a patch in July so the flaw has now been rectified.
The hack involved removing the flash memory chip on an Echo speaker, modifying it and then soldering it back into place.
The modified version of the smart speaker could then hack into other Amazon Echos after connecting to the same local area network (LAN), claimed Tencent researchers Wu HuiYu and Qian Wenxiang.
The flaw allowed Wu HuiYu and Qian Wenxiang to take advantage of the speakers “Whole Home Audio Daemon” software, which Echo’s use to connect to each other on the same internet network.
The vulnerability was revealed at an annual conference for hackers, called DEF CON, in a presentation named Breaking Smart Speakers: We are Listening to You.
This isn't the first time that Amazon's smart speakers have been hit by security concerns. In May, a woman had her private conversation with her husband recorded by their Amazon Alexa and sent to a friend by email without their knowledge.
Amazon said the smart speak had misinterpreted the conversation as a set of demands which led to the conversation being packaged up and sent to a seemingly random contact.
An Amazon spokesperson said: “Customer trust is important to us and we take security seriously. This issue would have required a malicious actor to have physical access to a customer’s device and the ability to modify the device hardware. Customers do not need to take any action as their devices have been automatically updated with security fixes.”
