Hackers have figured out how to turn an Amazon Echo into a live microphone. First reported by Wired, the attack requires physical access to the device, is limited to pre-2017 Echoes, and would be difficult to deploy at scale. But when successful, it would allow hackers to pull a live feed of all audio within range of the device, even if the wake word hasn’t been said. The method could also allow hackers to remotely retrieve authentication tokens and other sensitive data from the device.

Researcher Mark Barnes laid out the attack in a blog post earlier today. In simple terms, Barnes’ method compromises the device by booting from an inserted SD card — similar to a LiveCD — and uses that access to rewrite the Echo’s firmware. Once the firmware is rewritten, the hacked Echo can send all audio captured by the microphone to a third party, remaining compromised even after the SD card is removed.

Echo devices made before 2017 could remain vulnerable indefinitely

“Customer trust is very important to us,” Amazon said in a statement. “To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”

Barnes’ attack only works on the 2015 and 2016 versions of the Echo. The 2017 model makes an internal hardware change that prevents an SD card from operating as an SPI peripheral, a crucial element of the hack. Without moving into SPI mode, the Echo can’t boot directly from the SD card, leaving no way to execute the attack.

While that hardware fix effectively blocks the attack, the nature of the firmware assault makes it very difficult to stop the attack at a software level. Any security patches or other software protections deployed by Amazon would simply be rewritten along with the original firmware. As a result, Echo devices made in 2015 and 2016 are likely to remain vulnerable to the attack indefinitely. Analysts estimate more than 7 million Echo devices were purchased during those years.

“[The attack] does require physical access, which is a major limitation,” Barnes writes in his post. “However, product developers should not take it for granted that their customers won't expose their devices to uncontrolled environments such as hotel rooms.”