A SECURITY FIRM has successfully compromised the Amazon Echo to turn it into a covert listening device.
MWR InfoSecurity is the firm in question, and it claims that it was able to exploit a vulnerability in the device to turn it into a 'wiretap' without affecting its overall functionality.
You needn't go throwing your Amazon Echo in the bin just yet though, as the vulnerability only affects the 2015 and 2016 versions of the AI-powered speaker.
What's more, the hack itself is pretty long-winded and would require hackers have physical access to your Echo.
MWR explains that, to carry out the attack, it removed rubber base on the bottom of the Echo, which allowed it to access the devices 18 debug pads and directly boot into the firmware of the device via an external SD card. From here, it was able to install persistent malware without leaving any physical evidence of tampering.
This allowed the security firm to gain them remote root shell access, along with access to the 'always listening' microphones.
MWR then developed scripts that leveraged tools embedded on the device to stream the microphone audio to a remote server without affecting the functionality of the device itself, which means that hackers could, in theory at least, covertly monitor and listen in on users and steal private data without their permission or realisation.
Mark Barnes, Security Consultant at MWR InfoSecurity said: "The rooting of the Amazon Echo device in itself was trivial; however, it raises a number of important questions for manufacturers of Internet enabled or 'Smart Home' devices.
"The biggest limitation of this vulnerability is the need for physical access to the device itself, but it shouldn't be taken for granted that consumers won't expose the devices to uncontrolled environments that places their security and privacy at risk.
"Whilst Amazon has done a considerable amount to minimise the potential attack surface, these two hardware design choices - the unprotected debug pads and the hardware configuration setting that allows the device to boot via an external SD card - could expose consumers to an unnecessary risk."
Amazon has responded to MWR's findings, and has said that it's probably best that you buy your Echo from it directly to stop this kind of thing from happening.
"Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date."
MWR has its own advice. It also warns against buying smart speakers from third-party retailers, and says that users should use the device's mute button to disable the microphone. µ
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers
Notch-equipped handset quickly overtakes its cheaper siblings
Good news for developers; a collective shrug for everyone else