Hackers Expose Scary Amazon Echo Vulnerability

Security researchers Wu Huiyu and Qian Wenxiang have discovered a terrifying way to turn an Amazon Echo into a spy bug.

The researchers demonstrated their method onstage at the Def Con hacking conference on Sunday. To orchestrate the attack, they took apart an Echo, removed the flash chip from its motherboard, loaded it with custom spyware, and then re-attached the chip.

Credit: Shaun Lucas/Tom's Guide — (Image credit: Shaun Lucas/Tom's Guide)

The firmware is then able to find and link up to a targeted Amazon account using "cross-site scripting, URL redirection, and HTTPS downgrade attacks," according to Wired, which first reported the news.

The device can also then access other Echo devices on its same network.

MORE: How To Delete Recordings From Your Alexa History

The doctored device can take advantage of Whole Home Audio Daemon, the software component that allows Echos on the same network to talk to each other, to gain full control over a targeted speaker. This means you could do anything from playing creepy music and calling Ubers for people to seizing control of their microphone and secretly recording audio.

There are some limitations to this attack: It requires that hackers have access to a device's hardware, and that they have the target's Wi-Fi password. But the researchers told Wired that such an attack could still work in public places, like hotel rooms or schools, with public passwords.

The hackers have informed Amazon of the vulnerability, which the company told Wired it has already patched.

More on Alexa

See more Smart Home News

TOPICS

Monica Chin is a writer at The Verge, covering computers. Previously, she was a staff writer for Tom's Guide, where she wrote about everything from artificial intelligence to social media and the internet of things to. She had a particular focus on smart home, reviewing multiple devices. In her downtime, you can usually find her at poetry slams, attempting to exercise, or yelling at people on Twitter.

Latest in Smart Home

I'm a firefighter's daughter and this $55 smart smoke detector is the one I want for my own home

Hate it when your Ring doorbell alerts you all the time? Here's how to schedule motion detection

Amazon is removing this privacy feature from its Echo smart speakers on March 28 — what you need to know

Apple HomePod with display now rumored for late 2025 launch

Schneider Electric Pulse home energy panels.

The Smart Home Upgrade You’ve Been Missing

Alexa+ — I have 4 big questions about Amazon's new AI assistant

Latest in News

Future Apple Watch models could get a surprising new feature — what we know

iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays

Forget iPhone 17 — iPhone 18 could get this huge upgrade

The new Husqvarna iQ series robot lawn mower.

Husqvarna’s new robot mowers offer GPS for less

Rendered images of rumored foldable iPhone.

Foldable iPhone report just revealed key details — here's what we know

NYT Connections today hints and answers — Sunday, March 23 (#651)

NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)

More about smart home

I'm a firefighter's daughter and this $55 smart smoke detector is the one I want for my own home

Hate it when your Ring doorbell alerts you all the time? Here's how to schedule motion detection

Future Apple Watch models could get a surprising new feature — what we know

See more latest

6 Comments Comment from the forums

Brad_53

Requires physical access to accomplish? OoooOOoooo so scary.
Reply
jsmithepa

21228758 said:
Requires physical access to accomplish? OoooOOoooo so scary.
Perfect for the crazy Ex.

Reply
aquielisunari

21227818 said:
Security researchers have discovered a way to turn an Amazon Echo into a spy bug.

Hackers Expose Scary Amazon Echo Vulnerability : Read more

So first they need psychic abilities to know I have an Echo. They then need to hack my home's security and compromise the manual locks. By this point and time the Echo should be the least of my worries.

In short if you have a hacker friend you need to be scared, very very scared.

Danny Ocean however could have a field day at the manufacturing plant and use the exploited Echo's to make some withdrawals.

Hackers as young as 5 or 6 can do so much. By the age of ten they can hack voting booths and skew the results. This cat and mouse game just keeps going and going and going and going and going...
Reply
USAFRet

My Amazon Echo is right were it needs to be. On the shelf in some random warehouse, right next to the Google Dot.
Reply
nobspls

"So first they need psychic abilities to know I have an Echo. They then need to hack my home's security and compromise the manual locks. ...."

Go on and bury your head in the sand a little deeper. It will feel better. They just need to trick you into accepting a compromised Amazon delivery, starting from the Amazon warehouse. You know how many poorly treated workers there would do this for a bribe or two? This is would be cake to do, especially considering state actors like China and Russia, LOL. Heck even the NSA might be in on it too.

Reply
aquielisunari

21232197 said:
"So first they need psychic abilities to know I have an Echo. They then need to hack my home's security and compromise the manual locks. ...."

Go on and bury your head in the sand a little deeper. It will feel better. They just need to trick you into accepting a compromised Amazon delivery, starting from the Amazon warehouse. You know how many poorly treated workers there would do this for a bribe or two? This is would be cake to do, especially considering state actors like China and Russia, LOL. Heck even the NSA might be in on it too.

Who is they? Why an Amazon delivery? I haven't shopped there in years. Your scenario is implausible.

Reply

Show more comments

Sign up to get the BEST of Tom's Guide direct to your inbox.