Hackers Can Turn Amazon Echo Into a Covert Listening Device (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Hackers Can Turn Amazon Echo Into a Covert Listening Device (helpnetsecurity.com)

Posted by BeauHD on Tuesday August 1, 2017 @10:40AM from the always-listening dept.

Orome1 shares a report from Help Net Security: New research released by MWR InfoSecurity reveals how attackers can compromise the Amazon Echo and turn it into a covert listening device, without affecting its overall functionality. Found to be susceptible to a physical attack, which allows an attacker to gain a root shell on the Linux Operating Systems and install malware, the Amazon Echo would enable hackers to covertly monitor and listen in on users and steal private data without their permission or knowledge. By removing the rubber base at the bottom of the Amazon Echo, the research team could access the 18 debug pads and directly boot into the firmware of the device, via an external SD card, and install persistent malware without leaving any physical evidence of tampering. This gained them remote root shell access and enabled them to access the "always listening" microphones. Following a full examination of the process running on the device and the associated scripts, MWR's researchers investigated how the audio media was being passed and buffered between the processes and the tools used to do so. Then they developed scripts that leveraged tools embedded on the device to stream the microphone audio to a remote server without affecting the functionality of the device itself. The raw data was then sampled via a remote device, where a decision could then be made as to play it out of the speakers on the remote device or save the audio as a WAV file. The vulnerability has been confirmed to affect the 2015 and 2016 editions of the device. The 2017 edition of the Amazon Echo is not vulnerable to this physical attack. The smaller Amazon Dot model also does not carry the vulnerability. More technical details can be found here.

114 comments

Min score:

Reason:

Sort:

News! by Ol+Olsoc · 2017-08-01 10:42 · Score: 5, Insightful

This is like saying that hackers can turn a car into a transportation device.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
1. Re:News! by Zaelath · 2017-08-01 10:47 · Score: 1
  
  Hackers can turn your laptop camera into a surveillance device, this has been foiled by smart people with tape.
  Echo and Google Home users should submerse their devices in a bucket of oil when not in use; please don't use water as this may cause a power short.
2. Re:News! by Daetrin · 2017-08-01 10:47 · Score: 4, Informative
  
  I'm shocked. Shocked i tell you. This is my shocked face. For some reason it looks very similar to my sarcasm face.
  
  --
  This Space Intentionally Left Blank
3. Re:News! by Anonymous Coward · 2017-08-01 10:52 · Score: 0
  
  "Hackers Can Turn Overt Listening Device into a Covert Listening Device."
  If you own an Echo, you know Amazon is listening to you = overt.
  They've found a way to redirect it someone else other than Amazon is listening to you without your consent = covert.
4. Re:News! by ShanghaiBill · 2017-08-01 11:05 · Score: 5, Insightful
  
  The "hack" described in TFA requires physical access to the device. Anything can be compromised by someone with physical access. For instance, I can "hack" the smart-lock on your front door with my sledgehammer.
5. Re:News! by Anonymous Coward · 2017-08-01 11:07 · Score: 1
  
  Are you telling me hackers can turn your sarcasm face into your shocked face?
6. Re:News! by Anonymous Coward · 2017-08-01 11:23 · Score: 0
  
  Hmmm.... I wonder if there was something else they could do to listen in you if they had physical access to your home? No, probably not. Homes without Amazon devices are safe from eavesdropping.
7. Re:News! by Anonymous Coward · 2017-08-01 11:35 · Score: 1
  
  Breaking news: attackers with physical access to a device are able to compromise the device. Literally everyone in the tech industry is shocked by this discovery.
  Congress is already moving to pass legislation forcing the US to revert to the stone age in order to protect the country against terrorism and pedophiles, though it has little support from the Republican party who insist it include provisions to lower taxes, nor does it have support from the Democratic party because the bill has nothing to do with LGBT rights. Nobody has asked the independent parties what they think. In an early morning tweet, Trump said "this new bill shows the espitumum" and our analysts are working around the clock to figure out what that means.
  In related news, the EU has disavowed knowledge of the US. When reminded of the existence of one of the world superpowers, the Hague said "new phone who dis?"
8. Re:News! by sexconker · 2017-08-01 11:40 · Score: 1
  
  Can you hack space time? You have physical access. Where's your teleportation device? Your time machine?
  DIDN'T THINK SO.
9. Re:News! by WolfgangVL · 2017-08-01 11:55 · Score: 2
  
  If YOU made a time machine, would YOU tell anybody?
  DIDN'T THINK SO.
  
  --
  You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
10. Re:News! by markdavis · 2017-08-01 12:06 · Score: 1
  
  >"Echo and Google Home users should submerse their devices in a bucket of oil when not in use;"
  Consumers should just insist on all such devices having a PHYSICAL microphone OFF button. It really is that simple. Of course, many won't use it, and it doesn't protect from malware having access to when it is being actively used. But at least it is a start. It gives the user the ultimate control, without having to TOTALLY physically remove power from a device (rendering it completely useless; and that isn't easy to do with a phone that has a non-accessible battery).
  I personally think ALL personal devices with a camera should be required to have a physical shutter or camera off button and all personal devices with a microphone should be required to have a physical mic off button (a positive action, preferably slide type).
11. Re:News! by LesFerg · 2017-08-01 12:16 · Score: 1
  
  Exactly. If a "hacker" gained that much access to a device inside your house, they could just as easily plant their own bug inside that or any other appliance or household decoration.
  How is this new or surprising? Is this just propaganda in support of EUFI?
  
  --
  If I had a DeLorean... I would probably only drive it from time to time.
12. Re:News! by Anonymous Coward · 2017-08-01 12:16 · Score: 0
  
  Yep, amazing hack: apparently if you have physical access to a small computer, technical know-how, appropriate tools and time to spare you can do stuff! Incredible!
13. Re:News! by Anonymous Coward · 2017-08-01 12:20 · Score: 0
  
  Shocking!
14. Re:News! by Ol+Olsoc · 2017-08-01 12:33 · Score: 1, Funny
  
  "Hackers Can Turn Overt Listening Device into a Covert Listening Device."
  If you own an Echo, you know Amazon is listening to you = overt. They've found a way to redirect it someone else other than Amazon is listening to you without your consent = covfefe.
  FTFY
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
15. Re:News! by Anonymous Coward · 2017-08-01 13:01 · Score: 0, Funny
  
  >That syllable over there reminds me of Trump! Time to remind the world how much I hate him (for the third time in the last 5 minutes)!
16. Re: News! by Anonymous Coward · 2017-08-01 13:18 · Score: 0
  
  Unplug it?
17. Re:News! by Orgasmatron · 2017-08-01 14:29 · Score: 2
  
  The key word isn't "listening device", it is "covert". Hackers can turn an overt listening device into a covert listening device. Kinda like how Android malware can turn your Google/AT&T spying device into a Google/AT&T/other spying device.
  
  --
  See that "Preview" button?
18. Re:News! by Ol+Olsoc · 2017-08-01 15:16 · Score: 2
  
  The key word isn't "listening device", it is "covert". Hackers can turn an overt listening device into a covert listening device. Kinda like how Android malware can turn your Google/AT&T spying device into a Google/AT&T/other spying device.
  The keyword isn't covert. It is that the device listens, and as a part of the security lacking Internet of things someone or many people out there simply are listening to it. I don't give a damn if you call it onomatopoeia, the gaddamned thing is listening in all the time. And the utter naivety to think that the only people who are listening to it is Amazon is charming, but so wrong. Maybe that isn't a big deal for many people.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
19. Re:News! by Anonymous Coward · 2017-08-01 15:28 · Score: 0
  
  With physical access, I can turn your desk, chair, or a painting on the wall into a covert listening device. Hasn't anyone on the editing team seen a James Bond movie?
20. Re:News! by Anonymous Coward · 2017-08-01 17:52 · Score: 0
  
  The "hack" described in TFA requires physical access to the device. Anything can be compromised by someone with physical access. For instance, I can "hack" the smart-lock on your front door with my sledgehammer.
  Maybe that's how they accessed the Echo in the first place. Shotgun.
21. Re:News! by thegarbz · 2017-08-01 18:11 · Score: 1
  
  I could turn your completely offline device into a covert listening device if I had access to it for 5minutes.
  This has been the stuff of spy agencies since they first existed.
22. Re:News! by Buchenskjoll · 2017-08-01 20:17 · Score: 2, Funny
  
  Of course I would. And every time I would say "I told you so yesterday!", and then go back and do it.
  
  --
  -- Make America hate again!
23. Re:News! by stealth_finger · 2017-08-01 21:36 · Score: 1
  
  >That syllable over there reminds me of Trump! Time to remind the world how much I hate him (for the third time in the last 5 minutes)!
  Well, if he would stop making a twat out of himself.
  
  --
  Wanna buy a shirt?
  https://www.redbubble.com/people/stealthfinger/shop?asc=u
24. Re:News! by parkinglot777 · 2017-08-01 23:58 · Score: 1
  
  Of course I would. And every time I would say "I told you so yesterday!", and then go back and do it.
  And you could have changed your present. Then you may not be able to say "I told you so yesterday!" because the person may not see or talk to you again.
25. Re:News! by Zero__Kelvin · 2017-08-02 01:06 · Score: 1
  
  To say that anything can be hacked if you have physical access is taking things too far. It greatly increases the odds, but there are countermeasures that can be employed. It is even possible to make a device that literally canot be hacked, even by state actors, so long as it is a "one off" implementation. As always, security isn't a product so much as a set of procedures and processes, and what is important is the security landscape. Should a typical user be worried? Probably not. Should a user with a jilted ex that has skills be? Depends on the ex. Should Trump have one in his office? I'm going to go with no.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
26. Re:News! by swillden · 2017-08-02 02:12 · Score: 1
  
  The "hack" described in TFA requires physical access to the device. Anything can be compromised by someone with physical access.
  This is true, but the attack on the Echo appears to be unnecessarily easy. Debug pads should not be left enabled in production devices.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
27. Re:News! by thomn8r · 2017-08-02 02:36 · Score: 1
  
  Can you hack space time?
  
  By whacking you in the head with the same hammer, I can magically transport you 30 minutes into the future.
28. Re:News! by Anonymous Coward · 2017-08-02 03:28 · Score: 0
  
  and they did it by stealing your keys.
29. Re:News! by drinkypoo · 2017-08-02 04:01 · Score: 1
  
  This is true, but the attack on the Echo appears to be unnecessarily easy. Debug pads should not be left enabled in production devices.
  FUCK THAT. Debug pads should be left enabled in ALL DEVICES. That's needed for the ability to make many types of repairs and modifications. It's irrelevant because the manufacturer leaves them there on purpose, so that they can troubleshoot and analyze problems in devices returned by customers. Not so that they can repair and resell them, although they may actually come in handy for that purpose as well, but so that they can figure out what they did wrong and fix it in the next revision.
  It has always been a truism that physical access to the device means that you have to assume that it's been tampered with, and it always will be, because the techniques for tampering advance at about the same rate as the techniques for production. Tamper protection is expensive and inconvenient and anyway, who cares? They could turn it into an always-on listening device by hiding a bug in it, and just tapping it for power. If they have physical access, you're screwed.
  The only short-term way to prevent this sort of thing from happening is to prevent physical access. The only long-term way is to build a global society that cares for all of its members. There is a variety of tomfoolery in between, which could best be described as an arms race. The finish line of an arms race is weaponizing. The finish line of building a global society which cares for all of its members is peace and prosperity for all. The alternative is failure of the species, sooner or later. In between now and whenever we find out which of those things will happen, if you are worried about being spied upon, you should look to your methods of detecting and preventing physical access as the last line of defense.
  If this were a remote hole, it would be indefensible. If you can root it, then it hardly matters if there is a debug port. Removing it only means that people have to go slightly further, read some datasheets, and jump off off ICs themselves. Or more likely, they will just have to find test points instead of a debug connector.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
30. Re:News! by jamlam · 2017-08-02 04:07 · Score: 1
  
  Not really... I'm fairly certain that no government could build a device that I couldn't turn into a listening device by sticking a wifi mic to it. Similarly with the Echo, if you take off the baseplate, remove everything inside and replace it with a recording device does that really constitute hacking? You've not compromised the security features of the device, it was never designed to be secure if left in a public place. I think the question is whether doing something physical to change the device really constitutes "hacking" as it's seen in the eyes of the general public. Most people think of a nerd in a basement with remote access doing terrible things, not a guy who's already broken into your living room and is fondling your stuff. That's not hacking, it's burglary.
31. Re:News! by Zero__Kelvin · 2017-08-02 04:14 · Score: 1
  
  You would be wrong. In fact it is trivially easy to build a device that knows what Wi-Fi devices are in range and reports the presence of any new ones. Care to try again?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
32. Re:News! by jamlam · 2017-08-02 04:16 · Score: 1
  
  Who says I'm using WiFi (apart from me in my previous comment but you get the idea...) https://en.wikipedia.org/wiki/...
33. Re:News! by Zero__Kelvin · 2017-08-02 04:26 · Score: 1
  
  Try 2: Fail. The same applies to any device that radiates energy, including heat. Care to try a third time? (It is 2017 now, BTW)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
34. Re:News! by jamlam · 2017-08-02 04:35 · Score: 1
  
  Kinda veering off topic here a little, the statement was that a government could make something that was totally physically secure, not that it was possible to create an undetectable listening device. Any listening device that transmits information radiates energy by definition so I call straw man on that one.
35. Re:News! by Zero__Kelvin · 2017-08-02 04:44 · Score: 1
  
  You created the straw man, but I already showed why you are wrong. By using the Echo there is no new device to detect. You seem to have missed that point entirely in your misguided zeal to prove my factually correct OP wrong.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
36. Re:News! by swillden · 2017-08-02 04:45 · Score: 1
  
  This is true, but the attack on the Echo appears to be unnecessarily easy. Debug pads should not be left enabled in production devices.
  FUCK THAT. Debug pads should be left enabled in ALL DEVICES.
  I completely, and deeply, disagree, at least on any device that manages sensitive user information.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
37. Re: News! by jamlam · 2017-08-02 05:24 · Score: 1
  
  Not quite zeal, I'm on the train and I'm bored and this is quite interesting :) I agree that it's harder to detect in terms of the Echo but your statement was "To say that anything can be hacked if you have physical access is taking things too far". That's the factually incorrect bit, if you'd said "it's impossible to create an undetectable transmitting device" I'd have agreed 100%.
38. Re:News! by drinkypoo · 2017-08-02 05:28 · Score: 2
  
  I completely, and deeply, disagree, at least on any device that manages sensitive user information.
  Security through obscurity is not security. It's false.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
39. Re: News! by Zero__Kelvin · 2017-08-02 05:34 · Score: 1
  
  You forgot the restriction that it has to be a "one off" item. There are techniques to make device tamper proof. If you open them they will never work again, etc.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
40. Re:News! by sexconker · 2017-08-02 06:19 · Score: 1
  
  If YOU made a time machine, would YOU tell anybody?
  DIDN'T THINK SO.
  Not intentionally, but that shit can't be kept secret.
  FACT: The reason we don't have backwards time travel is because it's always eventually used to go back in time and prevent it from ever being invented.
41. Re:News! by WolfgangVL · 2017-08-02 07:09 · Score: 1
  
  I'm pretty sure I eventually invent time-travel, and spend the rest of my life carefully guiding myself to the discovery faster and cheaper than I had originally done. In fact, I bet soon I'll find a way to stop myself from writing this slashdot post.
  
  --
  You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
42. Re:News! by Agent0013 · 2017-08-02 07:20 · Score: 1
  
  I think I might notice a plug going from the painting on the wall to the outlet. If you mean to run it on battery, the sci-fi movies don't worry about reality. And a couple of hours might not catch the conversation you want. This Echo thing is already plugged in, so there is nothing suspicious about it sitting there listening to you all day. That would be the benefit of hacking an Echo over doing the same to a chair.
  
  --
  
  -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
43. Re:News! by Ol+Olsoc · 2017-08-02 07:46 · Score: 1
  
  and they did it by stealing your keys.
  We must give the government your keys to protect you.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
44. Re:News! by Anonymous Coward · 2017-08-04 05:44 · Score: 0
  
  Just think of how this revelation can apply to countless electronic voting machines!
  I'm waiting for some voting booth to be outfitted with an Amazon Echo, so they can monetize everyone's votes by attaching focused ads based on the voter's political habits.
  Oh wait! They already do that!
  Nevermind!
Obligatory by thechanklybore · 2017-08-01 10:48 · Score: 1

"Amazon Echo still a covert listening device"
1. Re:Obligatory by Anonymous Coward · 2017-08-01 12:25 · Score: 0
  
  Covert? More accurate to say "Amazon Echo still an overt listening device."
Holy Possessed Toaster (talkie anyone) by brokenin2 · 2017-08-01 10:48 · Score: 4, Insightful

How many average consumer devices can't be compromised with physical access to the hardware?
Couldn't someone also just plant a bug in the thing (or somewhere else in your house) and listen to you that way?
In what world is this news?
1. Re:Holy Possessed Toaster (talkie anyone) by Anonymous Coward · 2017-08-01 12:22 · Score: 0
  
  How many average consumer devices can't be compromised with physical access to the hardware?
  Couldn't someone also just plant a bug in the thing (or somewhere else in your house) and listen to you that way?
  In what world is this news?
  If somebody breaks into my house - my Amazon Echo is probably going to be the LAST thing I'm worried about thieves compromising. If the Amazon Echo exists in any business setting - then you have a problem. Not with the Echo, but with the business setting permitting such devices.
  Kudos for the find - but already addressed and low risk vulnerability.
2. Re:Holy Possessed Toaster (talkie anyone) by brunes69 · 2017-08-01 14:21 · Score: 1
  
  Indeed.
  And in fact, *IF* you were a three letter agency and you had physical access to someone's house, and wanted to spy on them, which are you more likely to do - spend hours disassembling the Echo and doing this exploit and reassembling it, or spending 10 minutes planting bugs all over the house? I would wager the latter.
3. Re:Holy Possessed Toaster (talkie anyone) by Anonymous Coward · 2017-08-01 15:43 · Score: 0
  
  I've tried to compromise my toaster at home by connecting it to the computers network at home. Now all my computers mobo smell toasty.
  Anyone else is having this problem?
4. Re:Holy Possessed Toaster (talkie anyone) by Vektuz · 2017-08-01 15:44 · Score: 1
  
  If you had physical access you could just plant an actual covert audio listening device in the house instead.
5. Re:Holy Possessed Toaster (talkie anyone) by Kjella · 2017-08-01 16:41 · Score: 1
  
  How many average consumer devices can't be compromised with physical access to the hardware?Couldn't someone also just plant a bug in the thing (or somewhere else in your house) and listen to you that way? In what world is this news?
  Well, it's a nice spy trick to subvert the enemy's equipment instead of installing your own bug. If it was a cell phone, video conference system or something like that I'd say it was a pretty big deal. I just don't see the overlap between the kind of places you'd worry about a bug sweep and the kind of places you'd put an Amazon Echo though. Though it could be Trump has got one at the White House...
  
  --
  Live today, because you never know what tomorrow brings
6. Re:Holy Possessed Toaster (talkie anyone) by Zero__Kelvin · 2017-08-02 01:11 · Score: 1
  
  There are many already in place, no bug scan will find it, and all the infrastructure for remote monitoring is already there. There are numerous advantages over your "just plant a bug" approach.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Why buy this crap? by DatbeDank · 2017-08-01 10:48 · Score: 4, Insightful

Always listening device,
Who in their right mind thought these tools would be useful to a consumer? Are people out there really that dense to think that a device like this isn't sending every waking minute of their lives to some spook at the NSA?
Every time I hear someone go on and on about how the "Internet of Things" is the next great land rush, I laugh. The sooner this and 360 VR die the better.
1. Re:Why buy this crap? by misexistentialist · 2017-08-01 11:11 · Score: 1
  
  cellphone is already doing it, at least Alexa will tell you a joke
2. Re:Why buy this crap? by Woldscum · 2017-08-01 11:22 · Score: 2
  
  AND on top of it they are getting you to PAY for it. Tom Sawyer and whitewashing the fence all over again.
3. Re:Why buy this crap? by YukariHirai · 2017-08-01 12:59 · Score: 1
  
  Always listening device,
  Who in their right mind thought these tools would be useful to a consumer?
  The same can be said of many consumer devices that wound up being successful. When the iPad first came out, people mocked A) the name, and B) the idea that anyone would want an overgrown iPhone that can't make phone calls. No-one mocks it anymore. In the case of the Echo, being able to give verbal commands to a computer rather than mess about with a keyboard has long been a feature of science fiction that many people wanted in reality. That many people have their doubts about the usefulness, reliability and privacy of such a thing is besides the point; many people don't have such doubts and want the convenience and/or novelty of it.
  
  Are people out there really that dense to think that a device like this isn't sending every waking minute of their lives to some spook at the NSA?
  The answer to "are people out there really that dense..." is always "yes".
4. Re:Why buy this crap? by thegarbz · 2017-08-01 18:14 · Score: 1
  
  Who in their right mind thought these tools would be useful to a consumer?
  
  Given digital assistants are the wet dream of pretty much every sci-fi writer, you are just showing a lack of imagination.
5. Re:Why buy this crap? by Ksevio · 2017-08-02 04:08 · Score: 2
  
  Are people out there really that dense to think that a device like this isn't sending every waking minute of their lives to some spook at the NSA?
  For a tech site, you wouldn't expect questions like that. I have one, it's handy for asking questions, controlling the lights and stuff.
  
  I also have monitored the traffic from it and there's nothing significant until you say the wake word. Might as well be afraid of your toaster sending data to the NSA.
It is going to be more interesting ... by basicprimitives · 2017-08-01 10:58 · Score: 2

If hackers turn all mobile phones into global echolocation surveillance system, that is going to be way more interesting. Do you ever ask yourself how google gets information about traffic jams? Every mobile phone is being tracked. What is the point to hack Amazon Echo when we have mobile phone in every pocket?
1. Re:It is going to be more interesting ... by Anonymous Coward · 2017-08-01 11:32 · Score: 1
  
  Jokes on all of you with smartphones, I refuse to own one, have a $50 plastic clamshell phone, and it's turned on only once or twice a day for a couple hours.
2. Re:It is going to be more interesting ... by Gavagai80 · 2017-08-01 11:38 · Score: 1
  
  Do you ever ask yourself how google gets information about traffic jams? Every mobile phone is being tracked.
  
  Only phones that have opened google maps and told it to get their location are tracked for traffic. Pretty easy to avoid that.
  
  --
  This space intentionally left blank
3. Re:It is going to be more interesting ... by markdavis · 2017-08-01 12:14 · Score: 2
  
  >"Only phones that have opened google maps and told it to get their location are tracked for traffic. Pretty easy to avoid that."
  Actually, that is not true. A lot of the traffic information comes from the cell companies which track all the phones BY NECESSITY and then sell that information (supposedly ananoymized) to third parties. I know that Sprint does it, and I doubt they are alone. They don't tell you and don't ask your permission. If your phone is on and the mobile radio is on, you ARE being tracked.
4. Re:It is going to be more interesting ... by 110010001000 · 2017-08-01 12:25 · Score: 1
  
  It would be pretty hard for a cellular network to work without tracking the devices connected to it.
5. Re:It is going to be more interesting ... by basicprimitives · 2017-08-15 06:49 · Score: 1
  
  Yes, you are the exact person who is being monitored by surveillance systems. You have more chances to stay hidden being at the spot of public attention. As soon as you try to hide yourself in the cave you get only more attention from surveillance systems, because you just go beyond average statistical behavior.
6. Re:It is going to be more interesting ... by basicprimitives · 2017-08-15 06:57 · Score: 1
  
  I know. I personally believe that public alert systems should be built into mobile phones. So government agencies can make loud voice announcements directly to mobile phones whether user wants it or not. Going further government agencies should be able to communicate with people via speakerphone with people who are close to phone as well. I assume that they are doing this anyway, I only consider that information obtained this way should be used only for public safety and cannot be used against the user in any form except that. I know that it is tricky.
Once again by NEDHead · 2017-08-01 11:07 · Score: 4, Interesting

Star Trek had it right. First you poke the button on the communicator, then it listens...
1. Re:Once again by vux984 · 2017-08-01 11:18 · Score: 1
  
  Actually no, what makes you think the star trek system can't also be trivially hacked* to listen all the time?
  * I wrote 'hacked' but I'm willing to bet "hey computer, quietly record everything going on everywhere on decks 1 - 15 and deliver it to my console" would also work; so more of a 'built in functionality' rather than a 'hack'.
2. Re:Once again by freeze128 · 2017-08-01 11:22 · Score: 2
  
  Button press unnecessary when on board the Enterprise.
3. Re:Once again by TheFakeTimCook · 2017-08-01 12:23 · Score: 1
  
  Star Trek had it right. First you poke the button on the communicator, then it listens...
  Except for the hundreds of times when the actor forgets to touch the communicator until halfway through his/her utterance.
4. Re:Once again by TheFakeTimCook · 2017-08-01 12:25 · Score: 1
  
  Button press unnecessary when on board the Enterprise.
  Unless it is necessary for the plot...
5. Re: Once again by Anonymous Coward · 2017-08-01 17:24 · Score: 0
  
  There's no indication the other end actually heard the whole transmission !
6. Re:Once again by AmiMoJo · 2017-08-01 23:48 · Score: 3
  
  Star Trek seemed to have really strong privacy protections. Clearly they could record everything all the time, but chose not to. When investigation was required there was never any CCTV from the ship, or voice recordings made by the computer.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
7. Re:Once again by swillden · 2017-08-02 02:17 · Score: 1
  
  Star Trek had it right. First you poke the button on the communicator, then it listens...
  That is the way that these devices work, too, when they're not hacked. The only difference is that the "button" is a keyword.
  Actually, Star Trek had that as well. The keyword was "Computer".
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:Once again by drinkypoo · 2017-08-02 04:03 · Score: 1
  
  Star Trek seemed to have really strong privacy protections.
  Star Trek was based on a bright future where everyone's basic needs were met.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Alexa... am I being spied on? by Anonymous Coward · 2017-08-01 11:15 · Score: 0

I'm sorry. Unless you are asking for the weather or need a light turned on I don't know what you want.
From the institute of by Snotnose · 2017-08-01 11:19 · Score: 2

No Shit Sherlock.

Back in '90 or I was sysadmin when we got a bunch of personal Sun workstations. These all had microphones on them, Usenet soon told me how to turn the mic on and record to a local file. Went to my boss, told him we needed to open up every box and cut a wire. He was all like "um, no, not gonna happen". Told him to wait 5 minutes, then call someone and talk for a minute or two. Went into his office, played back the audio file I'd recorded of his conversation, spent the next few hours opening up brand spanking new Sun workstations to cut a wire.

Why yes, I do have black tape over the camera on my laptop. Why do you ask?
People blowing this off need to consider .... by King_TJ · 2017-08-01 11:19 · Score: 1

While yes, physical access to a device means it *can* be hacked, there are different degrees of concern you should have, depending on the device in question.
For example, physical access to my car in order to hack it? The car does have door locks on it as well as requiring a separate key to actually start it. Most people have a habit of doing some basic physical security with their car - such as putting it in a garage at night (which is also locked), or at least locking it up and taking the keys with them whenever they leave the vehicle. Most paid parking lots or garages are attended too, or at least have security cameras operating. That means the bar is raised a bit for hacking into it.
Same with physical access to servers.... Data centers with servers processing high value transactions are pretty heavily secured against unauthorized access. (I toured a data center out in Vegas recently and the place was full of armed guards with high powered rifles, as well as plenty of locked doors that only opened with the proper access cards, and surveillance equipment in place.) Even your average small business has a server room with at least a separate lock on the door to the room it's in.
An Amazon Echo compromise is of a bit more interest, because an Echo is likely to just be sitting on a shelf someplace, in plain view. People you invite over during a party or a housekeeper or service person you let inside would theoretically be able to apply this hack without you having a clue it was done.
1. Re:People blowing this off need to consider .... by Anonymous Coward · 2017-08-01 11:27 · Score: 0
  
  Jesus Christ be a little more discerning about who you invite over to a party. And what housekeeper has the skillz to do this? No, I think I'm going to be just fine. Nothing to see here; please move along.
2. Re:People blowing this off need to consider .... by Rick+Schumann · 2017-08-01 11:29 · Score: 2
  
  It could be compromised before the box even arrives at your house. For that matter it could even be compromised before it leaves the factory.
3. Re:People blowing this off need to consider .... by Gavagai80 · 2017-08-01 11:42 · Score: 1
  
  If you're inviting CIA agents to your country's embassy for an evening party, then yes, you should keep a careful watch on your Amazon Echo.
  
  --
  This space intentionally left blank
4. Re:People blowing this off need to consider .... by markdavis · 2017-08-01 12:09 · Score: 3, Insightful
  
  >"It could be compromised before the box even arrives at your house. For that matter it could even be compromised before it leaves the factory."
  It might even be DESIGNED compromised with built-in back doors for three letter agencies or whatever.
5. Re:People blowing this off need to consider .... by Riceballsan · 2017-08-01 13:39 · Score: 1
  
  Looking at the effort involved in this... if a guest is in your living room... and may have motivation to spy on you... They could A. Take appart your echo, plug in their SD card with malware, put back together the echo, it still looks like about a 5-10 minute job. B. Put a tiny bug that they got at the spy store, pretty much anywhere in the house... in about 5-30 seconds.
6. Re:People blowing this off need to consider .... by fph+il+quozientatore · 2017-08-01 20:11 · Score: 1
  
  It's called "Intel management engine".
  
  --
  My first program:
  Hell Segmentation fault
7. Re:People blowing this off need to consider .... by Ksevio · 2017-08-02 04:14 · Score: 1
  
  In the article they had to partially dismantle it and connect wires to debug pads. Sure you wouldn't know after it's done, but it would look very suspicious to anyone around. Would be much more subtle to place a standalone bug.
GPL by Anonymous Coward · 2017-08-01 11:25 · Score: 0

Doesn't the GPL require letting you be able to make software changes to the item you physically own? (or is that 3.0, I'm too confounded to keep pace with rules.)
"Turn"? by Dialecticus · 2017-08-01 11:27 · Score: 2

You mean from an overt listening device? You could do that just by throwing a towel over it.
1. Re:"Turn"? by sabbede · 2017-08-02 00:19 · Score: 1
  
  I nominate this for "Best Comment So Far".
2. Re:"Turn"? by drinkypoo · 2017-08-02 04:05 · Score: 1
  
  I didn't leave a comment in this vein only because I figured someone else would do it better, and I was right. Bravo.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Not even ONCE. by Anonymous Coward · 2017-08-01 11:27 · Score: 0

You were all warned.
This garbage is already an Overt Listening Device by Anonymous Coward · 2017-08-01 11:31 · Score: 0

The people who buy them are shitheads. Everything that goes wrong for a person like that is already well-deserved. Frankly, if hackers find a way to turn these things into a lethal weapon that takes out the owner, it will be a net benefit humanity.
Never Leave It Alone by Anonymous Coward · 2017-08-01 11:32 · Score: 1

This is why I never leave my Echo unattended....especially at a DefCon conference.
Physical access by manu0601 · 2017-08-01 11:36 · Score: 1

It is usually considered that if you have access to a device, you can take control of it.
If we call that a hack that must be fixed, then I fear the solution is more closed software, and repair-hostile hardware.
Always listening, thank god!! by Anonymous Coward · 2017-08-01 11:38 · Score: 0

I really appreciate that my Echo is always listening to me.
It's about the only thing in this house that does listen to me.
It even pays attention and follows orders.
If Echo had been available when I was younger, I would have married one.
And yet such things are becoming ubiquitous by jenningsthecat · 2017-08-01 11:43 · Score: 1

Why worry about things like government attacks on end-to-end encryption, when everybody and his dog is signing up for 'personal assistants', installing Smart TV's and IOT devices, and posting their whole lives on social media? The vast majority of people seem to be in the process of making wholesale violations of their own privacy trivial and commonplace - it seems unlikely that they'll give more than five seconds' thought to some security vulnerability in the latest bit of shiny. Damn the bread and circuses, damn the corporatocracy, and damn the public education system that is its longest-lived and most effective tool. Those of us who know better have no hope against the sheer numbers of the Kool-Aid drinking hypnotized masses.

--
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
hackers need to step up their game by Anonymous Coward · 2017-08-01 12:00 · Score: 0

needing physical access is for amateurs.
signed,
'the feds'
captain obvious by bonedonut · 2017-08-01 12:28 · Score: 1

sheesh, i would never think for a second that a device that listened all the time to what was going on around it could be turned into a listening device! Almost like it was designed with that in mind...
Does Amazon stop sales now? by MoarSauce123 · 2017-08-01 12:35 · Score: 1

They did that for the Blü phones due to the same reason.
So we can hack these now? by bill_mcgonigle · 2017-08-01 15:31 · Score: 1

Jeez, back in the day these threads would be full of all the projects people were going to do with commercial hardware once somebody found a way to load new firmware onto it.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Stupid article. by thegarbz · 2017-08-01 18:16 · Score: 1

Give me 5 minutes with a desk lamp back in the 1980s and I'll have turned it into a covert listening device as well.
The people freaking out about this should look into what the FBI and CIA actually did before the internet (hint: still listened into people).
1. Re:Stupid article. by schleimkeim · 2017-08-01 19:19 · Score: 1
  
  Yeah but now they don't need to bug your house, since everyone even pays for the bugs.
2. Re:Stupid article. by coofercat · 2017-08-02 00:38 · Score: 1
  
  ...to put a discrete bug in your house you need some way to get the audio or video out of your house and into the hands of the attacker. Thus, they need physical access and a means to transmit data. If you want to transmit data a long way, you also need to take care of powering the bug in some way, as batteries won't last long. They need to put all of that in a central position in your house so they can actually capture the audio they want.
  Once you've conveniently tuned your Echo to your wifi, you've handed an attacker an arguably difficult part of the problem. It's always on, and if it gets turned off, someone will turn it on for you. It's conveniently located, so will capture everything you want to hear. It now meets most of the non-functional requirements of any useful bug. This hack just finishes the job.
  If you want to do the 'security' agencies or criminals a favour, then be my guest. Personally, since I spend a bit of time locking my doors when I leave the house, I'm going to keep trying to make it harder for such people, but maybe that's just me.
3. Re:Stupid article. by acoustix · 2017-08-02 01:58 · Score: 1
  
  Yeah but now they don't need to bug your house, since everyone even pays for the bugs.
  Yes, they do. This hack requires physical access to the device. It's essentially the same. Now if they could perform the hack remotely....then it's different.
  
  --
  "A plan fiendishly clever in its intricacies"- Homer Simpson
4. Re:Stupid article. by thegarbz · 2017-08-02 10:05 · Score: 1
  
  So a bunch of "difficult" problems that were solved in the 70s.
No small feat by Opportunist · 2017-08-01 18:20 · Score: 1

How do you hide the Echo listening device by hacking it?

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Imagine My Shock. by Anonymous Coward · 2017-08-01 19:46 · Score: 0

N/A
The newer versions by Anonymous Coward · 2017-08-02 01:38 · Score: 0

Don't have this physical vulnerability, it's now a built in function. You just gotta figure out how to access it.
For my next trick... by Anonymous Coward · 2017-08-02 03:08 · Score: 0

watch me turn water into water!!!
The Federation is a Surveillance Dystopia by Anonymous Coward · 2017-08-02 03:30 · Score: 0

Star Trek had it right. First you poke the button on the communicator, then it listens...
Unless you're on the bridge, or in engineering, or ...
"Computer, " and the computer AI responds. Sounds like always listening to me, and ubiquitous surveillance aboard the Enterprise whether or not you have to jab your chest magnet in order to make a call.
Guess What? by Anonymous Coward · 2017-08-02 05:18 · Score: 0

The NSA has been able to do that with cell phones for quite some time. AND, they don't need physical access to the device to do it.
So, shove that in your tinfoil pipe and smoke it.
Not new News... by martinfb · 2017-08-02 09:11 · Score: 1

This is NOT new news. So, this old news attention on SlashDot must have another agenda.

--

Self-importance and self-indulgence is the root of ALL evil.