Conclusion:<p>> But, basically if one presses the switch it causes the flip-flops to change state and to then either add or remove power from the microphones.<p>> The 'mute' button appears to be very real and functional. When the button glows 'red' the power is removed from the microphones.
Yes that is the technical conclusion. But maybe the most important thing is that we have to do an actual teardown of the product in order to have some confidence that Amazon is not lying on it's Echo capabilities.<p>To be clear, I am not saying we should trust Amazon & Co, I'm saying that if that's the level of trust we have with home assistance devices, why even bother with the stuff ?
Disclosure: I'm an Amazon Devices PE, but not on Alexa devices.<p>Jeff (and others) have spoken publicly about this in the past, and this teardown is correct. The hardware is designed such that, if the privacy LED is on, the microphone is unpowered. In order to compromise that, one would need to physically alter/damage the hardware.
The fact that the mike defaults to on after power on is completely understandable from a user interface perspective, but from a security perspective it makes the mute switch useless. Why? Because any attacker that has penetrated far enough to be able to control the SOC in order to snoop can also trigger a SOC reset in order to make sure that the mike is enabled before they start snooping.<p>A physical switch would have been a better choice, if it was actually for security instead of security theatre.
But there’s still a security flaw in this method. If somebody from Amazon will decide to record you, they just send a reboot command to Echo. After reboot mic’s state will be changed back to normal I.e. powered.
To wear a tinfoil hat for a moment:<p>> The SOC (system on chip) controller seems to be connected to the flip flop resets<p>> The 'mute' button appears to be very real and functional. When the button glows 'red' the power is removed from the microphones.<p>Does the microphone take any time to boot up? How far could a malicious SoC get by toggling "reset" on and off very fast? If you toggle the microphone on and off at 96kHz with e.g. a 1% duty cycle, then you'd be able to sample the level from the microphone at 96kHz, and the LED would still be glowing at 99% of its usual current (which would be visually indistinguishable from 100%). This would allow the SoC to record audio at full quality, and still leave the LED glowing.
Very nice writeup, I love the combination of fun writing style and hand drawn schematics with things quickly escalating to decapping chips.<p>Also nice to see that the led is a real one, even if the micro does have the ability to override the mute switch... I guess the 80's scifi movies with red glowing eyes to indicate the 'evil' subroutene was activated got it pretty close!
This is a really great breakdown of what’s going on in device. I really appreciate the case removal to look at the inside of the chips, as well as the general explanation of the circuits involved.
Nice to see electronupdate here. For those who don’t know, he also has a YouTube channel[0] where he does teardowns of random ICs. It’s quite interesting seeing the die shots. I’m assuming this post is a continuation of his “part 1” post/video from a week and a half ago[1] about the Echo Flex.<p>His videos are definitely not scripted (and barely edited), which can be off putting to some (hearing “umm”s among other things), and he doesn’t go into the detail that Ken Shirriff (@kens) does, but they’re interesting nonetheless.<p>[0]: <a href="https://youtube.com/c/electronupdate" rel="nofollow">https://youtube.com/c/electronupdate</a><p>[1]: <a href="https://youtu.be/gYPLunFMIEI" rel="nofollow">https://youtu.be/gYPLunFMIEI</a>
The parallel flops are probably hardening against bit flips from ESD events. There aren't any other active protection devices and phantom flips probably showed up at some point during testing of earlier prototypes.
Colour me impressed! I would have expected a digital pin be used to control the microphone in software, which I wouldn't have been nearly as satisfied to see. Really nicely presented breakdown too.
Interesting read. But if I owned one, I would destroy the trace going to the mic, specifically the one giving power, and install my own physical switch as a physical power switch.
It's likely there are microphones in Echo that even an electronics expert can't "recognize" as a microphone. Any object that is flimsy and can 'vibrate' due to sound, can have it's position used to alter an electrical signal, and anything monitoring that signal can convert the signal easily back into sound. Even a non-data carrying wire with current can do this.
That's an excellent teardown! Thanks!<p>I think we should appreciate that while this isn't the best or most secure design (I'm not that happy with the host controlling the reset), it at least has an LED that shows the microphone status, which can't be controlled by software.<p>I think this is the very bare minimum we should require from all our digital devices.
There has been a related "talk" on rc3 on the topic, featuring scientists who analysed the traffic: <a href="https://media.ccc.de/v/rc3-466940-alexa_who_else_is_listening" rel="nofollow">https://media.ccc.de/v/rc3-466940-alexa_who_else_is_listenin...</a>
I wonder why they needed two flip-flops. Wouldn't one suffice and eliminate the NAND gate?<p>Could the feedback from the transistor be used to debounce via the data line as well?
Don't these mute buttons defeat the purpose of these devices in the first place?<p>If I want to do what generally amounts to a google search it's generally easier to pull out my phone than walk over to the device, flip a switch, and speak.
I had amazon flex muted (top and button lights red) then red light up-top started to pulsate blue. I unmuted the flex by pressing the mute button to see if I had notifications. Flex did not respond but mute button become red again in a few seconds.<p>TLDR, it appears that mute function can turn itself on by itself.
An OTA firmware update can change this behavior overnight. Unless it's a physical bounce switch that actually disconnects power mechanically, you are still at the mercy of someone else.
The implication is that the microphone emits completely no signal without power and doesn't have any capacitor to last even a few seconds.<p>Surely the most valuable data is just after the mute is turned on?