Security flaws in Amazon Echo that let hackers gain root access cannot be patched

Security flaws in Amazon Echo that let hackers gain root access cannot be patched

Security flaws in Amazon Echo that let hackers gain root access cannot be patched

New research has revealed that the 2015 and 2016 models of the Amazon Echo feature security vulnerabilities that can be exploited by hackers to turn them into spying tools.

Security vulnerabilities in the 2015 and 2016 models of the Amazon Echo cannot be patched by software updates, leaving them vulnerable forever.

This major security flaw was revealed by security researcher Mark Barnes at MWR InfoSecurity via a blog post published yesterday. According to Barnes, a hacker can 'gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering'.

Proposed bill in U.S. Congress to ban sales of unsecured IoT gadgets

This way, the hacker can gain remote access to an Amazon Echo device, stream live microphone audio to remote services without alerting users and steal customer authentication tokens. The said vulnerability is present in both 2015 and 2016 models of the Amazon Echo.

What's worse is that the said vulnerability cannot be patched using software upgrades, thus leaving the devices vulnerable for eternity. Barnes said that this is due to the fact that the vulnerabilities occurred because of a couple of design flaws, namely exposed debug pads on the base of the device and a faulty hardware configuration setting which allows the device to boot from an external SD Card.

He added that Amazon fixed both design flaws in the 2017 model of the Amazon Echo so the vulnerability has been contained to the older models. The 2016 models of Amazon Echo devices have their model numbers ending with '01' while the 2017 models have their model numbers ending with '02'.

Pacemakers found to contain 8,000 vulnerabilities including lack of encryption

To give some respite to owners of older Amazon Echo models, Barnes added that to gain root access to these devices, hackers need physical access to them to ensure that their microphones are turned on. To ensure their privacy is not at risk, users can thus prevent hackers from exploiting their speakers by turning off a physical mute button at the top of the devices that disables the microphone.

Considering how expensive it is for manufacturers to initiate product recalls and fix design issues, Barnes suggests that they should give a priority to physical security of IoT devices throughout the development life cycle, including the planning stage.

'Physical attacks should also be incorporated into any security assessments as early as possible to increase assurance of the product and save money on not having to produce new hardware prototypes later in product development,' he said.

Commercial drones highly vulnerable to cyber-attacks and criminal misuse

Motherboard spoke to Amazon following the publication of Barnes' research findings and found that it is possible for hackers to pre-hack older Amazon Echo models and then sell it on the secondary market. Amazon has thus advised its customers to purchase Amazon Echo devices only from Amazon or a trusted retailer.

"Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date," the company said.

Copyright Lyonsdown Limited 2021

Top Articles

Facebook's lawsuit against ban on EU-US data transfers dismissed

The High Court in Ireland has dismissed Facebook's lawsuit against the Irish DPC's decision to ban it from transferring the data of EU residents to the US.

DarkSide extracts $4.4m ransom from German chemical distribution company

The DarkSide ransomware group extracted a ransom payment of $4.4 million in Bitcoin from Brenntag, a German chemical distribution company.

HSE ransomware attack: All you need to know

Ireland's HSE suffered a Conti ransomware attack that forced it to shut down all IT systems, and cancel non-essential appointments.

Related Articles