It is an inevitability that following swiftly on the heels of the release of a new device there will be an announcement of its rooting, reverse engineering, or other revealing of its hackability. Now the device in question is the Amazon Echo, as MWR Labs announce their work in persuading an Echo to yield the live audio from the microphone and turn the voice assistant device into a covert listening device.
The work hinges on a previous discovery and reverse engineering (PDF) of Amazon’s debug connector on the base of the Echo, which exposes both an SD card interface and a serial terminal. Following that work, they were able to gain root access to the device, analyze the structure of the audio buffers and how the different Echo processes use them, and run Amazon’s own “shmbuf_tool” application to pipe raw audio data to a network stream. Astoundingly this could be done without compromising the normal operation of the device.
It should be stressed, that this is an exploit that requires physical access to the device and a bit of knowledge to perform. But it’s not inconceivable that it could be made into a near-automated process requiring only a device with a set of pogo pins to be mated with an Echo that has had its cover quickly removed.
That said, inevitably there will be enough unused Echos floating around before too long that their rootability will make them useful to people in our community. We look forward to what interesting projects people come up with using rooted Echos.
This isn’t the first time we’ve covered the use of an Echo as a listening device.
Via Hacker News.
Amazon Echo image: FASTILY [CC BY-SA 4.0].
Back in May, Amazon announced the Echo Show, its new version of Alexa with a 7 inch touchscreen. The Echo Show is an interesting device, but will the great unwashed masses pony up $229 to buy the show? That’s $50 more than the original Echo, or $180 more than the Echo Dot. With 5.2 million units sold in 2016, Echo has been a resounding success. This has been in part due to Amazon’s open approach to the API. Anyone can build an Alexa compatible device using a Raspberry Pi. Google has (finally) followed suit with their Home device.
It’s not just the hardware that is accessible. Skills Kit, the programmer interface for extending Echo’s functionality, is also open. At CES this year, Alexa was the belle of the ball. Third party devices are being introduced from all corners, all of them connecting to Amazon’s cloud and responding to the “Alexa” keyword.
The Echo Show takes the family in a new direction. Adding a touch screen gives the user a window on the the world not available with voice interactions. Echo Show also includes a camera, which opens up a whole new set of privacy and security questions. Amazon touts it as a device for viewing security cameras, watching YouTube videos, and making video calls. This puts Echo Show dangerously close to the internet appliance category, essentially a barren wasteland littered with the corpses of previous devices. Does anyone remember when Palm tried this with the 3Com Ergo Audrey? How about the i-Opener? Will Alexa persevere and succeed where others have failed? A lot of it will depend on the third party developers, and how Amazon treats them.
Continue reading “Amazon Echo Show”
Nothing makes us feel more like we’re on Star Trek then saying “Computer, turn on desk light,” and watching the light turn on. Of course, normal people would have left the wake up word as “Alexa,” but we like “Computer” even if it does make it hard to watch Star Trek episodes without the home automation going crazy.
There’s a lot of hype right now about how voice recognition and artificial intelligence (AI) are transforming everything. We’ve even seen a few high-profile types warning that AI is going to come alive and put us in the matrix or something. That gets a lot of press, but we’re not sure we are even close to that, yet. Alexa and Google’s similar offerings are cool, there’s no doubt about it. The speech recognition is pretty good, although far from perfect. But the AI is really far off still.
Today’s devices utilize two rather rudimentary parts to provide an interaction with users. The first is how the devices pattern match language; it isn’t all that sophisticated. The other is the trivial nature of many of the apps, or — as Alexa calls them — skills. There are some good ones to be sure, but for every one useful application of the technology, there’s a dozen that are just text-to-speech of an RSS feed. Looking through the skills available we were amused at how many different offerings convert resistor color codes back and forth to values.
There was a time when building electronics meant learning the resistor color code. With today’s emphasis on surface mount components, though, it is less useful than it used to be. Still, like flossing, you really ought to do it. However, if you have an Amazon Alexa, it can learn the color code for you thanks to [Dennis Mantz].
Don’t have an Alexa? You can still try it in your browser, as we will show you shortly. There are at least eight similar skills out there like this one from [Steve Jernigan] or [Andrew Bergstrom’s] Resistor Reader.
Continue reading “Alexa, Sudo Read My Resistor! A Challenge for Hackers”
For some folks, tea is a simple pleasure – boil water, steep tea, enjoy. There are those for whom tea is a sacred ritual, though, and the precise temperature control they demand requires only the finest in water heating technology. And then there are those who take things even further by making a PID-controlled electric tea kettle an IoT device with Amazon Echo integration.
Nothing worth doing isn’t worth overdoing, and [luma] scores points for that. Extra points too for prototyping an early iteration of his design on a RadioShack Electronics Learning Lab – the one with a manual written by Forrest Mims. [luma] started out using an Arduino with a Zigbee shield but realized the resulting circuit would have to live in an external enclosure. Switching to an ESP8266, the whole package – including optoisolators, relays, and a small wall-wart – is small enough to fit inside the kettle’s base. The end result is an MQTT device that publishes its status to his SmartThings home automation system, and now responds when he tells Alexa it’s time for tea.
Projects that hack the means of caffeine are no strangers to Hackaday, whether your preferred vector is tea, coffee, or even straight up.
Continue reading “A Little IoT for Your PID Tea Kettle”
[Chris Grill] got his hands on a pet boa constrictor, which requires a fairly strict temperature controlled environment. Its enclosure needs to have a consistent temperature throughout, or the snake could have trouble regulating its body temperature. [Chris] wanted to keep tabs on the temp and grabbed a few TTF-103 thermistors and an Arduino Yun, which allowed him to log the temperature on each side of the enclosure. He used some code to get the temp reading to the linux side of an Arduino Yun, and then used jpgraph, a PHP graphing library, to display the results.
But that wasn’t good enough. Why not get a little fancy and have Amazon’s Echo read the temps back when you ask! Getting it setup was not so bad thanks to Amazon’s well documented steps to get custom commands set up.
He eventually lost the battle to get the Echo to talk to the web server on the Yun due to SSL issues, but he found an existing workaround by using a proxy.
Continue reading “Alexa Keeps Pet Snake Thermoregulated”
It is interesting to see the wide coverage of a police investigation looking to harvest data from the Amazon Echo, the always-listening home automation device you may know as Alexa. A murder investigation has led them to issue Amazon a warrant to fork over any recordings made during the time of a crime, and Amazon has so far refused.
Not too long ago, this is the sort of news would have been discussed on Hackaday but the rest of my family would have never heard about it. Now we just need to get everyone to think one step beyond this and we’ll be getting somewhere.
What isn’t being discussed here is more of concern to me. How many of you have a piece of tape over your webcam right now? Why did you do that? It’s because we know there are compromised systems that allow attackers to turn on the camera remotely. Don’t we have to assume that this will eventually happen with the Echo as well? Police warrants likely to affect far less users than account breaches like the massive ones we’ve seen with password data.
All of the major voice activated technologies assert that their products are only listening for the trigger words. In this case, police aren’t just looking for a recording of someone saying “Alexa, help I’m being attacked by…” but for any question to Alexa that would put the suspect at the scene of the crime at a specific time. Put yourself in the mind of a black hat. If you could design malware to trigger on the word “Visa” you can probably catch a user giving their credit card number over the phone. This is, of course, a big step beyond the data already stored from normal use of the system.
It’s not surprising that Amazon would be served a warrant for this data. You would expect phone records (although not recordings of the calls) to be reviewed in any murder case. Already disclosed in this case is that a smart water meter from the home reported a rather large water usage during the time of the murder — a piece of evidence that may be used to indicate a crime scene clean-up effort.
What’s newsworthy here is that people who don’t normally think about device security are now wondering what their voice-controlled tech actually hears them say. And this is a step in the right direction.
Behold the unholy union of Amazon’s Alexa and that feature-limited animatronic bear from the 80s, Teddy Ruxpin. Alexa Ruxpin?
As if stuffing Alexa inside a talking fish weren’t bad enough, now Amazon’s virtual assistant can talk to you through the creepy retro plush thanks to [Tinkernut]’s trip down memory lane. Having located a Teddy Ruxpin on eBay for far less than the original $70 that priced it out from under his childhood Christmas tree, [Tinkernut] quickly learned that major surgery would be necessary to revive the Ruxpin. The first video below shows the original servos being gutted and modern micro servos grafted in, allowing control of the mouth, eyes, and nose via an Arduino.
With the bear once again in control of its faculties, [Tinkernut] embarked on giving it something to talk about. A Raspberry Pi running AlexaPi joined the bear’s recently vacated thorax with the audio output split between the bear’s speaker and the analog input on the Arduino. The result is a reasonable animation, although we’d say a little tweaking of the Arduino script might help the syncing. And those eyes and that nose really need to get into the game as well. But not a bad start at all.
This isn’t the first time that Teddy Ruxpin has gone under the knife in the name of hacks, and it likely won’t be the last. And the way toy manufacturers are going, they might just beat us hackers to the punch.
Continue reading “Raspberry Pi and Alexa Make Teddy Ruxpin Smarter than the Average Bear”