Mark Barnes said the attack on some versions of the Echo let him do almost anything he wanted to it.
Mr Barnes managed to enter the device's software innards via connections found on its base.
He said taking over the device was "trivial" once an attacker had access to an Echo.
Amazon's Echo uses artificial intelligence (AI) to respond to voice commands from users to carry out many different functions, including answering queries, playing songs and ordering goods from a retailer.
Getting physical
The hack started by peeling off the rubber base of the Echo to expose a grid of electrical contacts, wrote the researcher from MWR Info Security in a blog.
Connecting to one of the contacts let Mr Barnes watch the Echo's boot-up procedure and work out how it was configured. Armed with this knowledge Mr Barnes wrote software that, once loaded on a small memory card and connected to one contact pad, gave him control over the device.
Using this he examined how it handled audio and then created attack code which forwarded everything it heard to a remote server.
That deep access meant he had complete control over the code the device ran and what it did with customer data, he said.
Amazon did not comment directly on Mr Barnes' findings but said in a statement: "Customer trust is very important to us.
"To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date."
0 comments:
Post a Comment