The Amazon Echo Dot is a popular home voice assistant, often trusted to control heating, lighting, music and even door locks. Personally, I use mine for trivial tasks such as controlling Spotify and setting alarms but you can see that it would make an obvious target for an attack.
The device hosts only two ports – a 3.5mm jack for audio out and a micro USB port for power. This doesn’t leave much scope for a hardware attack, but I thought it might be possible to inject audio via the micro USB port, causing the Echo Dot to perform commands silently. I suppose this counts as a “powerline attack”.
The overall idea was to superpose an audio signal of me saying the word “Alexa” (the Echo Dot’s “wake-word”) onto the 5V USB power rail. Hopefully, the signal would leak into the microphone audio signal and cause the device to “hear” it.
In reality this could be used if an attacker replaced the victim’s Echo Dot power supply with one that would receive audio commands via bluetooth and send them over USB to the Echo Dot.
To test this out I needed to be able to supply up to ~800mA while still driving an audio signal. To achieve this I used a TDA2050 power amplifier which is a Class AB amplifier capable of up to 32W and normally used to drive speakers.
The circuit I used was basically the same as the datasheet application circuit for a single-supply rail, however instead of driving a speaker, it powered the Echo Dot (the DC decoupling capacitor C7 was also removed, obviously). When supplying the circuit with 10V, the output would sit at 5V which is perfect for USB. Without heatsinking, the TDA2050 got untouchably hot but this was fine for a test run.
To make sure that the voltage did not get high enough to damage the Echo Dot, I lowered the voltage to 4.5V so that I could use a 1V peak-to-peak audio wave without going over 5V. Using my phone, I then played a recording of me saying “Alexa” into the circuit using a 3.5mm headphone connector.
The signal was clearly visible on the rail, but unfortunately the Echo Dot did not respond.
I wanted to check that the audio wave I was seeing on the oscilloscope was indeed the correct wave and not just some noise, so I saved the oscilloscope samples to USB and, using Python, transformed them into a WAV file that I could listen to.
The recording shows an almost perfect recreation of the original audio, plus a little bit of noise. So there is definitely nothing wrong with the circuit.
Turning up the volume on the phone made no improvement, other than causing the Echo Dot to turn off when a certain volume was reached, as the voltage on the power rail got too low in the troughs of the audio waves. I also played around with raising and lowering the DC level, to no avail.
Unfortunately, it looks like the device is tolerant to at least naïve audio injection via USB.