Hackers Illustrate Trick That Turns Amazon Echo And All Smart Speakers Into Spy Bugs

Amazon Echo users may be used to reading some strange news about their beloved devices. In the past, the hands-free speakers have freaked people out by randomly laughing, standing in as the key witness to a murder and even autonomously recording and sending private conversations.

A 007-worthy hack

Now, the cybersecurity research division of Chinese internet giant Tencent, called Tencent Blade Team, has just illustrated a hack that can turn these Internet of Things (IoT) devices into spy bugs. The trick, that applies to all smart speakers, was presented on Sunday at this year's Defcon hacking conference.

We will be speaking at DEFCON 101 Track today at 12:00. If you are interested in how to breaking the smart speakers, such as Amazon Echo, you must remember to come over. @Xbalien29 @leonwxqian @DroidSec_cn @defcon #DEFCON pic.twitter.com/WOBbUglKYM

— Tencent Blade Team (@tencent_blade) 12 August 2018

"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products," reads Tencent Blade Team's Defcon entry. "However, with the smart speakers coming into more and more homes, and the function becoming more powerful, its security has been questioned by many people."

Tencent's cybersecurity team goes on to explain that the public's concerns regarding the hacking of smart speakers, in order to invade their privacy or worse, are indeed valid. To illustrate their point, they presented a demonstration where they used Amazon Echo's multiple vulnerabilities to eavesdrop on users' conversation and even record them, completely undetected.

Members of Tencent Blade Team @leonwxqian @DroidSec_cn speaking at @defcon More details coming soon！ pic.twitter.com/LFKyAWUdrR

— Tencent Blade Team (@tencent_blade) 12 August 2018

Making the internet safer for everyone

The presentation was led by security researchers Wu HuiYu and Qian Wenxiang who later took to Twitter to share publicly Defcon's media server featuring their slides and videos as well as the GitHub code to access them. Wenxiang thanked viewers for their support and said his firm would continue to do the work needed to make smart devices more secure.

Thank you all for your support, hope you enjoyed the talk.We'll keep doing the responsible vuln. report & disclosure and try to make smart devices more secure.We are Tencent Blade Team of TSRC. Pls Check https://t.co/FRayAdRF7E pic.twitter.com/Ahx5AMMK82

— Wenxiang (@leonwxqian) 12 August 2018

According to Tencent's Blade Team webpage, the division "has reported more than 70 security vulnerabilities to a large number of international manufacturers, including Google and Apple." The team states their goal is to make the "Internet a safer place for everyone."

[see-also]

Amazon was quick to respond to several media outlets assuring Echo users that their devices' have been automatically updated with the appropriate security fixes to address this issue. The firm had the same swift reaction last April when security software company Checkmarx pointed out another potential threat in Alexa.

Amazon’s research and development team Lab126 even worked with Checkmarx to implement the necessary changes and upgrades. It is good to know that both retailers and security firms are working together to safeguard our privacy.