Security firm shows how a second-hand Amazon Echo can become a spy

When a smart speaker aggregates customer data, or a car dashboard highlights the nearest McDonalds, the marketer and the consumer assume the devices can be trusted.

But recent research by Israeli security firm vpnMentor raises red flags about whether the Internet of Things could turn into the Internet of Spying Things.

What vulnerabilities were discovered? The company recently announced the results of work by a group of “ethical hackers” it employed in March and April of this year.

In one project, the group was able to connect an SD card reader to a first-generation Amazon Echo and install malware that could listen in to the owners’ daily life or interfere with the Echo’s control of other household devices like smart locks or appliances.

The use case for this Manchurian Candidate-like Echo envisions that the hacked speaker was purchased as a used smart speaker on the open market.

Peter Campbell, CEO of vpnMentor’s PR firm, Kaizensearch, said that Amazon corrected the speaker’s vulnerability in the second-generation Echo — but there is no Amazon program to certify any used smart speaker. If some enterprising hacker is able to crack future generations of Echos and they are bought on the used device market, the same infiltration can occur.

He added that Amazon does recommend the owner of a used smart speaker update the firmware, but that assumes the owner knows what to do.

What else did they hack? In another example, the first generation of the Ring smart doorbell was also hacked by vpnMentor. But, Campbell pointed out, that brand doesn’t list the product by generation, so any buyer of a used Ring doorbell is on their own.

vpnMentor was also able to remotely control the Samsung Smart Camera, which is also not listed by generation, and it was able to compromise the security for the August Smart Lock, the Kwikset Kivo Smart Lock and the TP-Link Smart Plug.

“A lot of people are buying smart devices second-hand,” Campbell said, “and failing to reset the firmware.”

Why does this matter to marketers? Imagine that, as in the novel “1984,” every TV was watching you as you watched it. In that environment, how much would consumers trust the advertising they see there?

Telephones have already started veering into becoming tainted devices. A phone call from an unknown party is viewed as suspicious by most people because of the large number of spam calls, and the same could happen if consumers begin to suspect that, say, their smart speakers are tracking them.

Marketers may well realize that brand safety is not just about whether the page or program where the brand’s ad is shown features controversial text or imagery. Safe brand neighborhoods can also include the trust afforded to a given device, so marketers would best target their messages toward the devices that maintain that trust.

UPDATE 9.20.18:

The August brand sent us this statement:

The vulnerability [described above] is not incredibly realistic or common. It involves giving someone Owner access to your lock, revoking it, and them putting their phone into Airplane mode, going to your house and unlocking the door, still in Airplane mode.

The company also noted that “the report rated the August lock as safe (on a scale from Very Unsafe to Very Safe),” and that the risk of buying smart products secondhand “isn’t true for August [because the] cryptographic keys are reset each time the lock is set up — so there isn’t a risk there.”