White-Hat Hackers make Surveillance Devices Out of Echo Speakers of Amazon
From the time Amazon Echo and other 'smart speakers' made their first appearance among global households, these have been regarded as key target in the opinion of security professionals. However, the threat isn't exactly real for no malicious program for the Echo, in particular, exists even today, while proof-of-concept assaults against the gadgets too turned out impractical.
Currently, a team of hackers from China over months designed one fresh methodology that would compromise the voice assistant device of Amazon. But the methodology hasn't yet culminated to give complete hold over the mentioned smart speakers, though remotely. Nevertheless, a practical demo is evident from the process about the way surveillance is possible via silently hijacking the devices.
The white-hat hackers made one fake Echo via removal of certain chip providing flash memory in the gadget, suitably altering its firmware and then acquiring core access followed with fixing it back onto the circuit plate. Thereafter, they placed the smart speaker like an untouched Echo onto the already existing WiFi network. The hackers utilized the whole-home communication system of Amazon along with vulnerabilities in Alexa interface such as web encryption demotions, cross-site scripting and address diversion flaws for acquiring complete hold of victims' speakers to quietly record as well as play anything they chose. Engadget.com posted this, August 12, 2018.
The hackers' assault even in the situation of patched security flaws shows how it's possible to apply some devious tactics for forming a complex phase-wise penetration technique which would effectively weaken even the somewhat secured Echo device.
The rogue Echo, which the team made, works like a tool to attack more Echoes. This is via abusing several web flaws inside Alexa existing in Amazon.com. The flaws are HTTPS downgrades, URL diversion and cross-site scripting- each of which Amazon has already addressed. The process enables in connecting a hacked Echo to the Amazon account of the target user.
Of now, a genuine assault's occurrence has a nominal possibility. A potential spy would be required knowing what way the Echo can be disassembled, find one network of more Echoes to which the device can be linked followed with sequencing multiple exploits.
» SPAMfighter News - 20-08-2018
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!