The Amazon Echo Hack
Amazon EchoConcerned about hacked listening devices? By now, you have probably heard about the researchers at MWR InfoSecurity that were able to modify the Amazon Echo (also known as “Alexa” from the name it responds to) to allow them to load software that would turn the unit into a remotely controlled listening device. Adding to the ominousness is that once the unit has been hacked, it will still look and function like the original.

But your Echo may not be the only thing to worry about. Common home and office items have been hackable for a very long time.

The security concerns of Alexa are significant, but such threats should also be considered in light of what it takes to make them work. In the case of the Echo, the unit must be disassembled, electronically connected to, and the internal software must then be modified. This does take a fair amount of skill and technical expertise.

But what else?

Before you throw out your Echo, it’s important to recognize that Alexa is not alone.
The threat of hacked or modified devices has been with us from the beginning days of eavesdropping and spy activity.

Those involved in protecting privacy, specifically those in the technical surveillance countermeasures profession (TSCM), have been actively working to find and eliminate such devices from businesses and homes for decades.

Dangers are not just limited to items that have been hacked. There are also eavesdropping vulnerabilities that do not require modification of equipment at all.

Eavesdropping at a door

Consider some of the history of eavesdropping.

Early threats

The term eavesdropping comes from a time when people could stand under the eaves of a house and listen in to conversations from within the home. An open window could still provide that opportunity today.  Air vents will also allow sound to travel from one location to another.  I remember as a youngster visiting my cousins’ home. There was a vent grate on the second floor that was opened to the living room below. The boys would hang out by the vent to listen to what our sisters were talking about in the room below.

The Great Hall of Edinburgh Castle was designed with an opening over the fireplace, called the Laird’s Lug. The opening allowed the lord of the castle to eavesdrop on his guests when they gathered below. In 1984, Mikhail Gorbachev was scheduled to have a meeting in that room and requested the opening to be bricked up.

Air vents in offices today can similarly allow sound to travel between rooms. It is important to be aware of your environment if you are having confidential discussions. You may want to move to a different location if there’s a chance someone may overhear you.

Later developments

The introduction of the telephone to society brought wired microphones directly into everyone’s home and office. Actual tapping into wires would allowed one to listen to the telephone conversations on that line. By adding a few simple modifications to the unit, known as a “hook switch bypass“, the microphone in the phone would be activated even when a phone call was not taking place. This would allow the eavesdropper to listen to all conversations in the room.

A little sophistication in electronics brought about the “infinity transmitter” also called the “harmonica bug“. When this device was in place, the spy could dial the phone number from anywhere in the world, and by playing a certain tone from a harmonica prior to the phone actually ringing, they could activate the microphone in the phone unbeknownst to the victim at the other end. Note that these were also technical “hacks” that required modification of the unit, yet the phone would still appear normal and function properly. Sound familiar Alexa?

Another vulnerability of older model phones should still be on the list of threats today. It is called a “microphonic ringer“. The ringer in many older style telephone sets used an electro-magnet that would vibrate when the ringing voltage came down the wire. It would cause the clapper in the ringer to bounce back and forth hitting the gongs inside the phone. It was discovered that on many such phones, the clapper would also pick up vibrations from sounds in the room. These vibrations would in turn create small voltage fluctuations in the magnetic coils that would then pass the audio back down the wire. That is basically the description of a microphone- sound vibrations creating small voltages on a wire. You may think these type of phones have disappeared, but due to their reliability, many are still in use in a number of locations- often as backup phones to be used in case of a power failure or if the main PBX or phone system in an office has stopped working.

Microphonic ringer in a 2500 phone set
The ringer of older “2500” style telephones could act as microphones.

Microphonic ringer found in a modern office. 

On one occasion we were performing a security sweep of an executive office in a high-rise building in Cleveland, Ohio. We found no obvious threats within the room. When I went to the nearby phone closet to run tests on the wiring, though, I was able to hear clear audio on a pair of wires coming from the office. Eventually we discovered that a standard “2500” model phone set was connected in a cabinet behind the CEO’s desk. It was there to be used only in emergencies as a backup in case of a power failure or if the company’s digital phone system stopped working. This phone offered a clear example of the microphonic ringer. The vulnerability was not intentional, but it would allow anyone who had access to the wiring panels to be able to eavesdrop on the executive office. In the past when phones with this type of ringer were more common, a unit with a microphonic ringer could easily be placed in an office that was the target of eavesdroppers with the victim unaware they were being spied on.

The Great Seal

One of the most famous spy bugs, “The Thing” was the nickname given to the clever bugging device hidden within the plaque of the Great Seal hanging in the office of the US ambassador to the Soviet Union. The seal was nothing more than a decorative plaque, but it had been hacked and modified to turn it into a unique listening device.

Bug inside the Great Seal Bug inside the Great Seal
Above is a replica of the Great Seal bug that was found in the office of the US Ambassador to the Soviet Union. 

A well known TSCM practitioner, Glenn Whidden (1928-2011), was also a spy for the CIA from 1946 to 1974. He often performed clandestine operations in Moscow and Eastern Europe. He shared stories of many of the technical surveillance operations they performed during the Cold War era. Glenn spoke of installing a microphone and transmitter inside a table leg that was used in the enemy’s meeting room. They had a master carpenter on hand who was able to duplicate the woodwork with the bug hidden behind a screw in the table. The microphone worked so well that they were able to listen to the KGB sweep team that was searching the room. The KGB team did not find their bug.

More current threats 

Modern electronics have made the threat of hacked or modified devices even more significant. Small modules are readily available today that can add Wifi and cellular transmitters to almost any object or appliance. Appliances or objects that already use electricity are especially effective hiding places as the eavesdropping device can tap into power from the appliance’s own power source, allowing it to run without the need for batteries.

These threats can include transmissions of both audio and video as well as other data. They may transmit on dedicated radio frequencies or they could also be designed to use Wifi- possibly your own network- and cellular signals, making them difficult to detect.

Bugging device installed in coffeemaker Bugging device hidden in coffeemaker
The coffee maker above was found to have a transmitter circuit installed in the base. It still made a good cup of coffee.
-Photo courtesy Rick Hofmann.

GSM bugging device in calculator GSM bugging device in calculator
This working calculator had a GSM cellular bug installed. It’s phone number could be dialed from anywhere to listen in.

How concerned should you be?

Should you throw out your Echo? Maybe not, or not yet. When planning countermeasures or defenses against eavesdropping and spying, a first step would be to perform a risk assessment of your own situation and environment. What information is at risk? How likely is it that someone with the skills and the opportunity to perform such a hack would want to spy on you?

If you feel the need to remove your Amazon Echo, you should probably consider other appliances as well. Rather than emptying your kitchen right away, though, it may be prudent to give some thought to your overall security procedures, including considerations like access control, alarm systems, and security cameras.

Business Countermeasures 

If you are in business, the threats are even more pronounced than for most individuals. Proactive or regularly scheduled electronic TSCM sweeps are an important step in protecting privacy and information. A professional TSCM team will not only be able to find active threats, but regular sweeps will also provide a foundation for subsequent inspections. That will be invaluable if any security breach or other incident occurs in the future.

Businesses concerned about Insider Threat should pay particular attention (that should be ALL businesses). Employees as well as executives in your company already have access to confidential areas. They would be able to work on installing potential eavesdropping modifications at their leisure.

speaker in ceiling acts as microphone
This speaker was hanging above the drop ceiling in an office, acting as a microphone.
The wires in an electrical closet were able to be tapped to listen to all office conversations below.

The professional TSCM provider can help you understand the vulnerabilities that may be present in your facility and they will recommend steps to eliminate weaknesses in your communications and information security.

What can I do about Alexa? 

The recently reported Amazon Echo hack is supposedly only possible on pre-2017 units. If you happen to have an older Echo, has it ever been in the hands of an untrusted party? If the answer is yes, then you may want to take more precautions. Amazon recommends only purchasing their devices directly from them, to ensure it has not been accessible by an unscrupulous third party dealer. They also recommend simply using the mute button (which disables the microphone), or unplug the device, if you are having nearby conversations that you must keep confidential.

If you are worried about your Echo, don’t forget to consider all of the other potential hiding places for surveillance devices. For every adversary who may have the skills necessary to modify Alexa, there are many more who could install an active eavesdropping device with much less effort and much more opportunity.

If your concerns are significant, or if you feel you may be a target of eavesdroppers, then a professional electronic sweep should be the next step in your security plan. A professional TSCM provider like Exec Security TSCM will have the tools and techniques for discovering and locating covert surveillance threats, including a hacked Alexa.