
Alexa, are you listening? - hammock
https://labs.mwrinfosecurity.com/blog/alexa-are-you-listening
======
escapologybb
I may have posted this same sentiment on the other threads on this topic so
please feel free to ignore.

I see some confusion as to why anybody would want these devices in the houses
whatsoever and would like to offer an answer:

Quadriplegia.

Imagine walking into your house one day and all of the keys had been taken off
your keyboard, every light switch is smooth, all of the doorknobs have
disappeared, the controls on your stereo have disappeared and every other
switch, lever and/or physical method of interacting with your devices had
disappeared. That was what it was like to be me as a quadriplegic Geek.

Then came the Amazon Echo and its ilk. The Echo coupled with Home Assistant[1]
has absolutely revolutionised my life and enabled me to do all of the things
above that I wasn't able to do before. It's a pretty compelling reason for me.

Am I worried about my privacy? Absolutely. Am I any more worried about the
Amazon Echo than I am about the microphone in my iPhone, television, MacBook
Pro, iMac and weirdly my fridge? Nope.

As others have pointed out it's a trade-off, I could be completely private and
not be able to do anything or I could accept this somewhat Faustian bargain
and be able to control almost every aspect of my house. Crappy situation to be
in, but there is.

There are a few open source alternatives coming through which keep everything
within the wire, but until they get traction enough to be out interact with
all my other devices I can't use them. Which sucks.

Anyway, hopefully this comment was helpful and am available to answer
questions on any topic other than physics. I'm rubbish at physics. :-)

[1]: [https://home-assistant.io/](https://home-assistant.io/)

~~~
codazoda
I want these devices for their simple convenience...

My teenage children often leave lights on in the basement of my home. "Alexa,
turn off the basement lights".

I'm also slightly afraid of heights, so I've considered installing smart LED's
in the can lights in the eves of my roof. "Alexa, turn the house red."

Sometimes I get hot or cold after I've already gone to bed and I don't want to
walk to the thermostat to see if someone has adjusted it. "Alexa, set the
temperature to 70 degrees."

I worry about the loss of privacy but the day to day convenience is also
pretty compelling.

~~~
gr3yh47
with all the info available about rampant blanket NSA spying/access, and the
content of most privacy policies, the basic operating procedure anymore should
be to assume that all devices are pwned.

if you're cool sprinkling always-on microphones around your house for
convenience, more power to you.

I can't do it.

~~~
codazoda
You probably carry a microphone almost everywhere you go. Your smart phone
might or might not record by default but it can certainly be made to do so.

~~~
pdkl95
> You probably carry a microphone almost everywhere you go.

That's projection; some of us value an expectation of privacy more than minor
conveniences.

> it can certainly be made to do so

Except that isn't the intended purpose of the device. You still have an
expectation of privacy. When you normalize an _expectation_ that you might be
recorded by 3rd party devices, the 4th Amendment longer applies[1].

This isn't about technology, "targeted advertising", or the NSA. Blinded by
shiny baubles and a handful of not-strictly-necessary conveniences, you're
normalizing social expectations to accept regular automated recording the
"details of a private home that would previously have been unknowable without
physical intrusion"[2].

Defending internet microphones because they are convenient isn't useful or
convincing. Lots of things sound good when you only consider the benefits.

[1]
[https://news.ycombinator.com/item?id=15853560](https://news.ycombinator.com/item?id=15853560)

[2] [http://caselaw.findlaw.com/us-supreme-
court/533/27.html](http://caselaw.findlaw.com/us-supreme-court/533/27.html)

------
jnwatson
Leaving debug pads is not a vulnerability that most people care about.
Expecting physical tamper resistance is unnecessary for regular appliances.

Even if the debug pads weren't available, one could replace the flash, or use
a scanning electron microscope to modify bits in the main microprocessor. This
isn't a smart card.

Here's a vulnerability that almost every device has: an attacker with physical
access can replace the device with an identical looking device. The new device
might even have explosives!

~~~
TeMPOraL
I wouldn't even call leaving debug pads a vulnerability; I'd call it being not
totally anticonsumer.

------
joshuas
I don't get the fear mongering. It seems infinitely more likely my computer is
compromised than some single purpose device that doesn't load code from third
party developers or visit random web pages.

If we're expecting that Apple/Google/Amazon/Microsoft are the people attacking
us then they have easier ways. If we expect it's outsiders then how do they
even get to my Alexa?

~~~
shawn-butler
They raise the issue of having Alexa devices in semi-private places like hotel
rooms[0].

I think people have an expectation of privacy in a hotel room. And I assume
major hotels have security measures in place to catch consumer-level
eavesdropping devices.

Rooting an Alexa device in this manner seems like something that could easily
be done by a prankster requiring no specialized equipment.

Has anyone stayed in Wynn hotel in Vegas? Are the alexa devices just out in
the open or built into the room somehow that might easily show tampering? Or,
maybe they have only the latest version with the debug pads disabled?

[0]: [https://www.prnewswire.com/news-releases/wynn-las-vegas-
anno...](https://www.prnewswire.com/news-releases/wynn-las-vegas-announces-
the-addition-of-amazon-echo-to-all-hotel-rooms-300377995.html)

~~~
joshuas
Hacking an Alexa is probably one of the more difficult ways to bug a hotel
room.

~~~
kelnos
More difficult, sure, but also probably less likely to be detected over the
long term.

------
nulagrithom
"The $foo is vulnerable to a physical attack that allows an attacker to gain a
root shell..."

This is true for nearly any device, including your cell phone, your MacBook,
etc, etc, ad nauseam.

And every time these devices come up there's so many comments on how they
would _never_ have one in their home, ostensibly because "it's always
listening".

This is sickeningly naive in my opinion. Any device with a microphone is
capable of the same thing. You shouldn't be trusting your phone any more than
an Alexa device.

~~~
dsp1234
_You shouldn 't be trusting your phone any more than an Alexa device._

I don't

------
xyzzy_plugh
This is really cool (rooting devices is wonderful -- and they should all be
open for home modifications!), but also not something that has any real effect
on the average consumer.

Physical attacks are, in my opinion, uninteresting, because you may as well
just plant an old fashioned bug.

Consumers should be wary of purchasing used devices like this generally. I am
not, however, aware or any wide spread scams involving physical attacks on
consumer electronics.

~~~
gregmac
> Physical attacks are, in my opinion, uninteresting, because you may as well
> just plant an old fashioned bug.

The one benefit is the target is going to specifically locate this device in a
location where it can hear them, and will relocate it appropriately if they
move furniture, rooms, houses, etc. There's nothing physical to discover to
tip them off.

It's a listening device disguised as a listening device. No need to hide, even
though it's in plain sight.

~~~
rightos
But it'd be trivial for them to slip an extra bit of hardware, wire it to the
existing mic and use that to do all the actions they wish. At the point where
someone has physical access to the device the game is over.

This is not an attack - its an immutable law, if someone else has unrestricted
physical access to your device, it's not your device anymore.

~~~
TeMPOraL
To be fair, planting a physical bug for longer-term surveillance is more
difficult, because you need to worry about providing power to it, and about
exfiltrating the data. A home assistant device, by its nature, has its owner
ensuring both of those problems are solved for you.

~~~
kelnos
Right, and you also need to worry about it being found. There's nothing
physical about this hack that would tip off the owner that they have an
(unauthorized) listening device in their home.

~~~
rightos
You still need to worry about it being found in the pure software case -
there's far higher odds of me seeing some suspicious traffic than a small
custom bit of RF gear inside. If someone's taking the thing apart and sees
your physical extra bits, odds are they're doing so to dump the firmware, just
like this guy... if they're not doing that, they're not necessarily skilled
enough to spot whatever modifications you may have planted either. It really
depends on the target though I suppose. Of course, at the point you have
physical access, all bets are off, they could swap chips on the board with
identically labeled ones which serve different functions - replace the
firmware and signing with their own, etc. An essentially undetectable hardware
modification.

~~~
kelnos
Two things:

1) I doubt most people are monitoring their home LAN traffic at all, let alone
to the degree that would let them detect something odd here. Even if they are,
there are ways around it -- like simply compressing and storing the extra
voice data and only sending it out when someone makes a legit request to their
Echo. Certainly that's more data, but the access pattern would make it easier
to hide.

2) This hack doesn't require any (lasting) physical modification to the Echo.
You connect to the debug pads on the bottom, do some stuff, disconnect, and
you're done. So there are no physical extra bits to find.

But yeah, my point here was exactly #2 -- physically there is nothing in your
home that was not there before. In the case of a dedicated bug, that's
something physical that the target of surveillance could find and know that
someone is messing with them.

------
Xeoncross
> The Amazon Echo does include a physical mute button that disables the
> microphone on the top of the device or can be turned off when sensitive
> information is being discussed (this is a hardwire mechanism and cannot be
> altered via software).

I had wondered this.

~~~
smileysteve
disturbingly, this is clearly not the case for ecobee.

~~~
chadlavi
... oh I see, they made a new one.

------
djsumdog
I would never have one of these devices in my home, and I'm surprised I see so
many of them in homes of people who are in the tech industry. I wondered if
people in security would have them and so I contacted one of my good friends
who is a security expert. "What's an Alexa device?"

He's a Kiwi. Amazon hasn't made it to NZ yet. He's only seen them on TV shows.

Interestingly this article is nothing about what gets transmitted, but just
hacking the device. It would be kinda cool if we started to see projects to
turn Amazon devices into one of the open source variants like Jarvis.

~~~
craig1f
I think like, with most things, it's all about the tradeoff.

I have one in my house in the living room. It basically exists to have an easy
way of turning on Spotify. We don't have sensitive conversations in the living
room. If someone were listening, they'd mostly get me scolding my children and
asking what's for dinner. The might also steal a token to connect to Spotify.
My AWS account isn't linked to the same account as my Alexa, and requires TFA,
so that's safe.

I wouldn't put this device in my bedroom. I also was less interested when my
kids were young enough that I might actually have a sensitive conversation
anywhere. I'd considered putting one in my tv room to control the tv, but
that's about it.

I don't regard the Alexa as a greater vulnerability to my house than my phone,
and I already accept owning a smart phone. I am concerned about the same
things you are, but I view it as more of a trade-off than a simple "just don't
do it!" attitude.

~~~
jgrahamc
> We don't have sensitive conversations in the living room

Wow. That seems like an amazing commitment. Do you have a SCIF where you
discuss your bank statement with your SO?

~~~
smileysteve
Given the Equifax leaks, you might reconsider if your bank statements aren't
reasonably public information.

------
monochromatic
It baffles me that anyone would allow such a device in their home, let alone
pay for the privilege.

~~~
swlkr
This also confused me when I saw it as well. I wasn't sure if the first echo
was an April fool's joke or if they were serious.

I was even more confused when people actually started buying them. It's always
startling when I go to a friend's house and Alexa gets triggered accidentally.

~~~
DerfNet
It's the new thing, people will always buy or use the new thing just because
it's the new thing.

~~~
ionised
This is a major factor.

People in general are easily impressed by shiny new baubles.

------
Daycrawler
This requires physical access. You can plant surveillance gear all over the
place if you have physical access.

------
larrykwg
Seriously as others have pointed out thats NOTHING. Anyone can do this to
pretty much any device, I did that to my ISP's router even and don't feel its
any less secure because of it. Its an interesting hack but its not proof of
any insecurity of Alexa.

I don't think its such a good idea to over-dramatize these things for personal
gain (like the author) because it hurts the security researcher community as a
whole. I've already lost ANY trust of any security guys talking about the end
of the world vulnerability they found, 99% of the time its bullshit like this.
But I can read their disclosure and quickly discern whats irrelevant, I can
imagine most non-IT people not able to do this and thus becoming MUCH more
desensitized to ACTUAL vulnerabilities. Yet another boy who cried wolf
security guy, they should've published this as "how to root your alexa" that
would've been actually cool, this is just garbage.

~~~
Incanus_uk
Did you actually try reading the article? It is an in depth guide on how to
root the device and a far cry from a scare piece.

------
Lionleaf
I recently got a Google Home, and I've been thinking about how to potentially
build a "is-the-microphone-actually-recording?" device. A basic one should be
possible just by watching the power draw, but that would probably trigger if
it decides to download a firmware update or whatever too. I expect this has
been done before?

~~~
the_rosentotter
Of course it's listening, at all times. Otherwise it would not be able to
react to the trigger phrase. What is interesting is whether it sends this data
anywhere, and that is probably impossible to ascertain, since it could store
it for a while and tunnel it out with innocent looking traffic.

It would be interesting if it could be determined if it stores the passively
obtained data at all. If one could monitor writes to memory while in passive
state it might give a clue.

~~~
icebraining
Since apparently it can be rooted without affecting the listening process, it
should be possible to monitor writes in pure software.

Of course, it may detect the monitoring and avoid writing in those cases
/tinfoil

------
oh_sigh
What's with the glut of anti-alexa articles recently? Am I just in the
minority of security conscious people who think Alexa is pretty benign?

~~~
Fifer82
I honestly just expected better from HackerNews folks. I am not irritated
oh_sigh, I am just very disappointed.

~~~
oh_sigh
Disappointed in which direction? That I wouldn't care much about alexa as an
exploit vector, or that a lot of nerds do care?

------
joshstrange
I think I might be one of the few people in this thread who now want to buy an
echo specifically to root it and play with possibility connecting it to my own
servers...

------
baldeagle
I solve the sensitive conversation problem by having my device hit an IFTTT
task to disconnect itself from the lan. Then I have another task to turn it
back on.

~~~
eesmith
Couldn't the intermediate conversation be stored and sent when there's
connectivity?

~~~
kodt
Are you talking about a hypothetical hacked Echo, or a standard unmodified
Echo device?

~~~
eesmith
Ahh, I was talking about a hypothetical hacked Echo as described in the
article, or perhaps the sort of Echo modified by Amazon due to court order.

I think now that the top-level comment concerned a standard unmodified Echo
device, so my comment doesn't apply.

------
EADGBE
I'll worry about this when I need to worry about someone breaking into my home
and finding a reason to modify electronic devices utilizing the debug ports on
stationary products.

I also don't take myself so seriously when I don't find a need to.

------
6d6b73
Great, now you could simply buy Echo for someone on your Christmas list, hack
it, and give it to them. And you could always blame it on "hackers".

~~~
icebraining
Or you could give them _any_ electrical device, and stick a mic and
transmitter inside it.

~~~
eesmith
Physically modified devices are harder to blame on "hackers".

------
Verdex_3
I expected a scare piece on privacy but I got an in depth technical break down
of an alexa security bug.

