Amazon Echo (shortened and referred to as Echo) is a smart speaker developed by Amazon.com. The device consists of a 9.25 inch (23.5 cm) tall cylinder speaker with a seven-piece microphone array.
Mark Barnes (security researcher at MWR Labs) has discovered that Amazon’s Echo smart speaker is vulnerable to a physical attack that enables an attacker to get a root shell on the underlying Linux operating system and install malware without leaving physical evidence of the hack.
Attackers can get persistent remote access to the device, steal customer authentication tokens, and the capability to stream live microphone audio to remote services without altering the functionality of the device.
“Rooting an Amazon Echo was trivial however it does require physical access which is a major limitation. However, product developers should not take it for granted that their customers won’t expose their devices to uncontrolled environments such as hotel rooms “
Amazon has fixed the security flaw Barnes exploited in its most recent version of the Echo.
“This vulnerability has been confirmed on the 2015 and 2016 edition of the Amazon Echo however the 2017 edition is not vulnerable to this physical attack. “
To recognize if a device is affected you can check the original pack for a 2017 copyright and a device model number ending 02.
