Alexa isn’t the only one who can listen to you through your Echo.
Security researchers at MWR InfoSecurity have discovered a new vulnerability in the Amazon Echo that lets hackers remotely listen in on any conversations happening within its hearing range.
As explained in a blog post written by MWR’s Mark Barnes, every Echo is equipped with 18 debug pads—metal ports that can be used to test different aspects of the operating system’s functionality—concealed under its rubber base. By connecting a malicious SD card to the right pads, a hacker gains complete access to the Echo’s operating system without any authentication required. This allows him or her to turn the Echo into an eavesdropping device, access the user’s Amazon account, and “basically do anything you want,” Barnes told the Telegraph—all without affecting the Echo’s normal functionality or leaving any trace of tampering.
So, is it time to be paranoid? Not really. For people well-versed in cybersecurity, this kind of vulnerability isn’t really surprising. After all, an Echo is an IoT device with a microphone attached to it. The hack also requires physical access to the device, which makes it even more difficult for an Echo in your room to fall prey to an attacker’s whims. And as Ars Technica points out, the hacker would need to be skilled in Linux and embedded hardware systems.
If you’re still concerned, however, that a tech-savvy friend might tamper with your device, it may be time to refresh your model: The vulnerability only affects devices made before 2017. Alternatively, it may be time to get new friends.