The Amazon Echo is an 'always listening' smart speaker utillising Amazons Alexa Amazon Services (AVS).
The device is vulnerable to a physical attack that allows an attacker to gain root access to the underlying Linux operating system.
An attacker with physical access could deliver malware onto the device which would grant them persistent remote access and the ability to stream live microphone without altering the functionality of the device or leaving physical evidence of tampering.
Such a vulnerability raises a number of privacy concerns about 'always listening' devices which is important to customers and their trust relations with Amazon.
This vulnerability is due to two hardware design choices of the Amazon Echo:
The exposed debug pads are easily accessible on the base of the Amazon Echo exposing both UART and connections for an external SD Card. The hardware is configured such that the device will attempt to boot first from this exposed SD Card before the internal memory.
The SD Card pads on the 2017 edition of the Amazon Echo have been disabled preventing the device from being booted externally.
As this is a hardware fix 2015 and 2016 devices will remain vulnerable.
"Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date." - Amazon
Please refer to the attached advisory and complementary blog post.
Issue reported to Amazon Security
Amazon responded with confirmation of the issue
MWR queried Amazon on the issue status
MWR found new devices are not vulnerable
Amazon Lab126 contacted MWR about the vulnerability and to release dates
Public disclosure of vulnerability and technical blog post