You can now add the Amazon Echo to the list of Internet-of-Things devices that hackers could turn into surveillance devices to spy on you in your office, home, or hotel room.

According to Mark Barnes, a security researcher for U.K.-based MWR Labs, the Amazon Echo, an "always-listening" smart speaker enabled with artificial intelligence, can be turned into a "wiretap," Barnes writes in a detailed account of how to hack the Echo. Hackers need to gain physical access to your Echo, but once they install malware on the device they can stream the audio picked up by the Echo to their computer. The good news is that the hack cannot be done remotely, so hackers would need to tamper with the device while it's sitting in your office or at your home. Also, the new 2017 models do not have the same vulnerability as older ones, Barnes writes.

Barnes hacked the Echo by removing the rubber base of the speaker, which exposed connections to the device's hardware. He connected his computer and launched a program controls the microphone and streams incoming audio to his computer. But, hackers could launch other attacks, too.

"You can make it do whatever you want, really," Barnes tells Wired.

Barnes cites a paper by computer scientists at The Citadel, the Military College of South Carolina, which outlines a similar hack.

The Echo hack is just the latest vulnerability reported in internet-connected devices. According to Proofpoint, hackers used smart TVs and smart refrigerators to send over 750,000 malicious phishing emails between 2013 and 2014. In March, a WikiLeak data dump revealed that the CIA can hack Samsung Smart TVs to stream audio picked up from the television's microphone.

As an industry, the Internet of Things devices are woefully insecure, researchers say. Many Internet-of-Things devices are sold to customers with "exploitable firmware," writes Ike Clinton and Lance Cook, students in Citadel's Cyber Communications Command program, in their paper about Echo's security flaws.

"The future of the Internet, and our highly technology-connected lives, depend on these devices to be secure," Clinton and Cook write. The "fear," they write, "is that someone with more malicious intent will find a vulnerability on key devices used by everyone, or the government."

Published on: Aug 2, 2017