Louise Matsakis, Motherboard:

The Amazon Echo can be turned into a spying tool by exploiting a physical security vulnerability, according to Mark Barnes, a researcher at cybersecurity firm MWR InfoSecurity. His research shows how it’s possible to hack the 2015 and 2016 models of the smart speaker to listen in on users without any indication that they’ve been compromised.

The issue is unfixable via a software update, meaning millions of Echos sold in 2015 and 2016 will likely have this vulnerability through the end of their use.

Barnes executed the attack by removing the bottom of the smart speaker and exposing 18 “debug” pads, which he used to boot directly into the firmware with an external SD card. Once the hack is complete, the rubber base can be reattached, leaving behind no evidence of tampering.

With the malware installed, Barnes could remotely monitor the Echo’s “always listening” microphone, which is constantly paying attention for a “wake word.” (The most popular of these is “Alexa.”) Barnes took advantage of the same audio file that the device creates to wait for those keywords.

The way I read it, this does require physical access, but once the hack is installed, there’s no obvious way to detect its presence, and an update won’t get rid of the malware.

Feh.