Amazon Echo Security Bug Gets Pwned

Laura BednarHackingLeave a Comment

Pwn2Own Contest Amazon Echo Hacked

Two whitehat security researchers, Team Fluoroacetate’s Amat Cama and Richard Zhu, recently won this year’s Pwn2Own security contest in Tokyo. The two took home the Master of Pwn title for the third consecutive year along with a $60,000 prize for exposing a massive security breach in the Amazon Echo, a smart display powered by Alexa.

Contact Us Now

The patch gap vulnerability

Cama and Rhu discovered that the Echo uses an older version of Google’s open-source browser software called Chromium that had not been patched on the Echo as it had elsewhere — a so-called “patch gap.” The researchers could exploit this weakness to take control of the device when it was hooked up to a malicious WiFi network using an integer overflow JavaScript bug.

Integer overflow bugs occur when an operation tries to create a number but doesn’t have enough room in its allotted memory. The number then “overflows” the allotted memory space, which can have major security ramifications.

The fallout

There were many other IoT devices at the contest, some more vulnerable than others. “This patch gap was a common factor in many of the Internet of Things (IoT) devices compromised during the contest,” said Brian Gorenc, director of Trend Micro’s Zero Day Initiative, which hosted the Pwn2Own contest. The Facebook Portal, a video calling-enabled smart display, proved resilient in the face of attack, however.

In the wake of the contest, Amazon announced it would investigate the vulnerability and would take “appropriate steps” to patch it, though it neither established a firm timetable nor disclosed what, exactly, it would do. The vulnerability demonstrated the particular demands raised by software forks in the realm of IoT.

A wider problem

A software fork occurs when the code for some already-developed software package is independently developed for another purpose. In the case of the Internet of Things, software such as Chromium is independently adapted for particular devices like the Echo, and if the newly created branches of the software are not properly updated, the results are potentially catastrophic security breaches.

More about the competition

There were other winners in Tokyo this year as well. Pwn2Own is one of the world’s largest hacking contests, where major tech companies invite elite hackers to discover vulnerabilities in their security systems. All told, the victorious teams collected over $315,000 in prize money in the course of the two-day contest, uncovering 18 substantial bugs in a diverse array of products that included new kinds of WiFi routers, TVs, and smart-home devices. Along with Team Fluoroacetate, F-Secure Labs and the new entrants at Team Flashback were the biggest winners. The devices they hacked included:

  • Sony X800G smart TV
  • Samsung Q60 smart TV
  • Healthcare
  • Samsung Galaxy S10 mobile phone
  • TP-Link AC1750 Smart WiFi router

The vendors who produced these devices have been notified, and now have 90 days to patch the vulnerabilities.

Defense Against Security Flaws

The SecureForensics team has experience with all types of cybersecurity issues. We can identify data breaches and report what information was compromised and who was responsible. Our other areas of expertise include malware and spyware removal, computer forensics, mobile phone forensics, and more. If your device has a security flaw that led to a devastating cyberattack, call SecureForensics at 1-800-288-1407 to learn how we can put an end to your risk and detail the incident in a court-admissible report.