New research released by MWR InfoSecurity reveals how attackers can compromise the Amazon Echo and turn it into a covert listening device, without affecting its overall functionality.
Found to be susceptible to a physical attack, which allows an attacker to gain a root shell on the Linux Operating Systems and install malware, the Amazon Echo would enable hackers to covertly monitor and listen in on users and steal private data without their permission or knowledge.
The compromise
By removing the rubber base at the bottom of the Amazon Echo, the research team could access the 18 debug pads and directly boot into the firmware of the device, via an external SD card, and install persistent malware without leaving any physical evidence of tampering. This gained them remote root shell access and enabled them to access the “always listening” microphones.
Following a full examination of the process running on the device and the associated scripts, MWR’s researchers investigated how the audio media was being passed and buffered between the processes and the tools used to do so. Then they developed scripts that leveraged tools embedded on the device to stream the microphone audio to a remote server without affecting the functionality of the device itself. The raw data was then sampled via a remote device, where a decision could then be made as to play it out of the speakers on the remote device or save the audio as a WAV file.
The vulnerability has been confirmed to affect the 2015 and 2016 editions of the device. The 2017 edition of the Amazon Echo is not vulnerable to this physical attack. The smaller Amazon Dot model also does not carry the vulnerability.
More technical details can be found here.
The risk
“The rooting of the Amazon Echo device in itself was trivial; however, it raises a number of important questions for manufacturers of Internet enabled or ‘Smart Home’ devices,” says Mark Barnes, Security Consultant at MWR InfoSecurity.
“The biggest limitation of this vulnerability is the need for physical access to the device itself, but it shouldn’t be taken for granted that consumers won’t expose the devices to uncontrolled environments that places their security and privacy at risk.
“What this research highlights is the need for manufacturers to think about both the physical and digital security risks that the devices may be subjected too and mitigate them at the design and development stage. Whilst Amazon has done a considerable amount to minimise the potential attack surface, these two hardware design choices – the unprotected debug pads and the hardware configuration setting that allows the device to boot via an external SD card – could expose consumers to an unnecessary risk.”
The design flaws that make this attack possible can’t be solved through a software or firmware update, Barnes told Help Net Security.
“And, while it is possible to replicate the method [we used] of accessing the device’s Linux operating system, it’s by no means a pre-made solution and an attacker would still need considerable experience to compile the necessary code to achieve the exploit,” he pointed out.
Still, if the attacker succeeded in doing all of that, and building a small handheld device that can be preloaded with the malware and necessary code, he or she could execute the exploit with just a few minutes of access to the unit.
“And once the attacker has control of the system, they can potentially gain permanent access to it unless the victim somehow detects the intrusion,” he noted.
Mitigation
To mitigate the risk posed, MWR InfoSecurity provides the following recommendations:
- Use the mute button – the Amazon Echo comes with a physical mute button that disables the microphone on the top of the device or can be fully turned off if sensitive information is being discussed
- Monitor for any unusual activity – Whilst this vulnerability is undetectable on the physical device, it is possible to monitor the network traffic and look for any anomalous activity. This could indicate a compromise.
- Purchase directly from Amazon or trusted retailers – As this vulnerability can only be exploited once an attacker has physical access to the device, buying an Amazon Echo second-hand could expose users to the potential purchase of a tampered device.
Following the researchers’ full disclosure of the vulnerability to Amazon, the company has issued the following recommendation: “Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”