A vulnerability in older Amazon Echo devices can be used to make the home assistant relay conversations to eavesdroppers while the owner remains none the wiser.
Research by MWR InfoSecurity found it’s possible to turn an Echo into a covert listening device without affecting its overall functionality. One big limiting factor: the process does involve the attacker being able to gain access to the physical unit, but it’s possible to tamper with the Echo without leaving any evidence.
The vulnerability comes as a result of two design choices: exposed debug pads on the base of the device and a hardware setting which allows the device to boot from an external SD card. By exploiting these two features, the attacker can access the root shell on the Linux operating system and perform the attack.