View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 13, 2018updated 12 Jul 2022 7:26am

Your Amazon Echo Can be Hacked to Spy On You! Not Easily it Seems

Smart speakers need to be able to listen, but this two-way channel can lead to interesting exploits and attacks.

By CBR Staff Writer

When voice-based home assistants such as the Amazon Echo and Google Home first appeared in the market, worries surfaced that such devices may be harnessed as a surveillance weapon.

This concern still lingers, especially as these smart speakers are constantly being updated and becoming smarter through improved voice recognition technology, artificial intelligence (AI), apps, and Internet of Things (IoT) device control.

As smart home assistants become the hub for daily tasks, home appliance control, task and calendar management, security has become paramount.

Companies such as Amazon and Google understand the need, as severe security vulnerabilities or attacks on consumers could be seriously detrimental to the adoption of Amazon Echo and Google Home, as well as batter their respective reputations.

As such, there have been few reports of firmware-based security flaws which can be compromised — although malicious Amazon Alexa Skills were the subject of proof-of-concept (PoC) attacks earlier this year and a bug was disclosed in Google Home which revealed user GPS details.


Outright surveillance through audio has not been an issue.

However, researchers have now demonstrated ways in which smart speakers can be tampered with to spy on their users.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Speaking at Defcon in Las Vegas on Sunday, Tencent Blade researchers Wu Huiyu and Qian Wenxiang said that such security concerns are “necessary” especially in light of how vulnerabilities can be utilised to compromise these devices.

Yet, throwing out your smart speaker or panicking isn’t necessary as the new technique is technically very difficult and requires stringent conditions to pull off.

As reported by Wired, the researchers took an Amazon Echo and modified the device. A number of components which were soldered on, such as its flash memory, were removed.

The chip was then flashed and given new firmware which granted root access before being re-soldered into the Echo.

It took several months, but Tencent was able to find a number of vulnerabilities in the Alexa interface of According to the publication, these bugs included cross-site scripting (XSS), URL redirection, and HTTPS downgrade attacks.

These bugs could be utilised in an attack chain to connect the altered Echo with a victim’s Amazon account.

The next step requires both the hacked Echo and target Echo to be active on the same Wi-Fi network. This would require the attacker to know the login credentials of the network, or alternatively, a brute-force attack would need to uncover the Wi-Fi password.

If this connection is established a software component called the Whole Home Audio Daemon can be compromised through a bug which permits attackers to gain remote control of the speaker and play any sound they choose or silently record audio which could, in theory, be transmitted away and to threat actors.

The researchers notified Amazon of their findings and all of the vulnerabilities mentioned have now been patched.

While few threat actors would necessarily go so far even if the attack chain was still possible to compromise a speaker, the findings do highlight the fact that vulnerabilities in Echo devices may be a real threat to the future of smart devices and IoT gadgets in the future.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.