The owners of the Amazon Echo are used to reading strange news about their devices. The hands-free speaker freaked out people by randomly laughing, standing as a critical witness to a murder, and even recording and sending out private conversations to random people in the contact lists. Recently, the Cybersecurity research division of the Chinese internet giant, Tencent, called Tencent Blade Team, has illustrated a way through which these Internet of Things (IoT) devices can be turned into spy bugs. The hack was presented on Sunday at the Defcon hacking software 2018 and can be applied to all the smart speakers.
Tencent Blade Team’s Defcon entry states, “In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their smart speaker products. However, with the smart speakers coming into more and more homes, and the function becoming more powerful, its security has been questioned by many people.” Tencent cybersecurity team explained that the concern of people regarding the hacking of smart speakers to invade their privacy is indeed valid. They presented a demonstration where they used Amazon Echo’s multiple vulnerabilities to eavesdrop on the user’s conversation and can even record them while staying entirely off the radar and undetected.
The presentation was led by security researcher Wu HuiYu and Qian Wenxiang who took to Twitter to share publicly Defcon’s media server featuring their slides and videos as well as the GitHub code to access them. Wenxiang thanked their viewers for their support and said that his firm would continue to do the work which is required to make the smart devices more secure. According to the Tencent’s Blade Team webpage, the division “has reported more than 70 security vulnerabilities to a large number of international manufacturers, including Google and Apple.” The team said that their goal is to make the internet a safer place for everyone.
Amazon responded to many media outlets assuring its customers that the Echo devices have been updated automatically with the security fixes to cater to this issue. Amazon previously gave the same reaction when another security software company Checkmarx pointed out another potential threat in Alexa. Amazon’s R&D team, Lab126, worked with Checkmarx to implement the necessary changes and upgrades. It is relieving to know that Amazon and security firms are working side by side to safeguard the privacy of the users.