Blog: Internet Of Things

Hacking the Echo echo echo

Ken Munro 02 Jan 2019

Smart home assistant. Not-so-smart TV

Amazon Echo is considered pretty secure in the security community. Remote exploitation is a pipe dream, requiring months of research to stand any chance. But what about using other devices in the home to exploit it instead?

Working on a smart Samsung TV and an older Sony TV with a Chromecast dongle plugged in, we used a couple of different methods.

Method 1: crack the home users Wi-Fi key, then cast to the TV

Many smart TVs will accept casting of certain media content without further authentication. Casting will usually switch on a TV that’s in standby. Time for YouTube!

So we simply recorded a blank video of us saying ‘Alexa, turn off the living room lights’,loaded it to our YouTube channel and cast it over the Wi-Fi network to the TV from outside:

Boom, Alexa heard the audio and the lights turned off:

Next, we made a cup of tea using a smart tea kettle: the Smarter iKettle 3.0 It’s much more secure than the original iKettle that we hacked years ago:

Alexa, turn on the kettle

Not so worrying, but we can do evil things with the Echo. Read on…

Method 2: find homes with a Chromecast instead. It’s easy to find thousands with https://wigle.net e.g:

Bishop Fox found a de-authentication problem in the Chromecast over Wi-Fi back in 2014. Even when set up correctly, a de-auth causes an open Wi-Fi network to appear, from which one can cast media.

We retested this issue against the latest Chromecast and it still works!

A write up of the method is here: https://www.pentestpartners.com/security-blog/new-chromecast-chromecast-audio-have-they-fixed-their-hijacking-issue/

We’ve also found a more efficient way to exploit this that speeds up the process significantly. Again, casting from the Chromecast will usually power on a TV that’s on standby.

Evil Alexa commands

<Alexa, order an iPad>

If your victim has Amazon Prime and 1-Click ordering, this will be ordered!

<Alexa, turn off the house alarm>

Maybe thieves will use this in future to disable an alarm system before breaking in

<Alexa, turn off the lights>

Freak out homeowners on dark winter evenings

<Alexa, set an alarm every day at 3am>

Hehe!

<Alexa, turn the thermostat to 5 degrees>

The Google Nest has a low temperature protection, so it won’t allow your house to freeze, but your home will still be very cold in the winter

And perhaps creepier, create an audio bug if the victim has Echo Calling:

<Alexa, call [attackers phone number]>

Unpleasant media content

Always bear in mind that it’s possible to cast really unpleasant things to the TV. Casting usually forces the TV to switch to the casting input, so your kids could be subject to some very nasty content, if the attacker was so inclined.

A while back I saw a story in the media about mysterious unordered adult toys from Amazon turning up at people’s houses. I wonder if someone used the above method?

<Alexa, order a vibrator>

Conclusion

The Chromecast hack wasn’t our finding, but we don’t think anyone had considered using it to speak to Alexa. Google have known about it since 2014, so it’s a poor show that it still hasn’t been fixed.

Cracking default and weak Wi-Fi keys is still easy.

Amazon Echo is considered to be pretty well secured, but if the devices around it are not, it’s trivial to send audio that it picks up. From there, all sorts of mischief is possible.

Advice

1: Yet another reason that Wi-Fi pre-shared keys need to be really strong

2: Google need to properly fix the Chromecast de-auth bug that allows casting of YouTube traffic

3: Set a PIN for Amazon Prime, so 1-Click ordering requires a degree of authentication

Do you really need voice assistants in your home? Think carefully before you do and certainly mute them before you leave home