Amazon Echo physical vulnerability discovered, 2015-2016 devices affected

[Sauron]

Source: https://labs.f-secure.com/archive/alexa-are-you-listening/

 

Apparently all 2015 and 2016 Amazon Echo devices are vulnerable to a physical exploit that allows an attacker to gain root access to the system. The exploit (detailed in the source) is fairly trivial to take advantage of and leaves no trace. It uses the exposed debug pads on the Echo's logic board to boot the device off of an SD card, which is then used to take control of the firmware (effectively a Linux based system).

 

 

The setup might seem impractical but consider that the wires are only there for the researchers' convenience - one could easily construct an adhesive breakout board and attach it to the debug pads or find some other way of connecting to the pads without soldering.

 

There is no fix you can implement on a vulnerable model, however the issue has been resolved with the 2017 release; here's how you can check if your device is vulnerable:

Quote

This vulnerability has been confirmed on the 2015 and 2016 edition of the Amazon Echo however the 2017 edition is not vulnerable to this physical attack. The mitigation implemented by Amazon was to join the +3V input pad with the MOSI/CMD pad somewhere on the main board, this effectively disables SPI communications with an external SD Card, preventing external booting. 

To identify if a device is vulnerable you can check the original pack for a 2017 copyright and a device model number ending 02.

Image of the vulnerable 2016 edition with the model number 23-002518-01:

Image of the fixed 2017 edition with the model number 23-002518-02:

Note the white edition has a slightly different number of 23-002517-0x.

The attack requires physical access so it's not as bad as it could be, however, as the researchers pointed out, this poses a big risk for public deployments such as hotel rooms.

Quote

Rooting an Amazon Echo was trivial however it does require physical access which is a major limitation. However, product developers should not take it for granted that their customers won't expose their devices to uncontrolled environments such as hotel rooms

My opinion:

Don't buy devices that require an open microphone to work and don't publish their source code. If you go to a hotel with an Echo device in the room, disconnect the power - even if it's post 2017; just because it's not vulnerable to this attack doesn't mean it's not vulnerable to undiscovered ones. It's just a privacy hazard.

 

-edit-

I should add that this is fairly old news, but since this wasn't talked about on the forums I thought it was worth sharing.

[Radium_Angel]

It continually blows my mind people *willingly* install spyware in their own homes and computers, and then act shocked and outraged when it's used against them.

[Alex Atkin UK]

33 minutes ago, Sauron said:

My opinion:

Don't buy devices that require an open microphone to work and don't publish their source code. If you go to a hotel with an Echo device in the room, disconnect the power - even if it's post 2017; just because it's not vulnerable to this attack doesn't mean it's not vulnerable to undiscovered ones. It's just a privacy hazard.

You DO realise if its based on GNU Linux it would be illegal to NOT publish the source code, right?

 

Also, if you don't publish source code then its harder to find more easily exploitable software issues or if the device is deliberately snooping on you, which are a far bigger risk than this.

 

Almost all devices have physical exploits, they exist so the factory can flash the firmware in the first place and IMO are a good thing, as it means if the manufacturer stops supporting a device you can hack it and continue using it, rather than it ending up as e-waste.

 

That fix is also laughable, as if the lines have been joined on the PCB then they can be disconnected again, it just takes a little more work.  (potentially a few seconds with a sharp craft knife once you've found the spot)

[Kilrah]

4 hours ago, Alex Atkin UK said:

You DO realise if its based on GNU Linux it would be illegal to NOT publish the source code, right?

They have to publish the source of the kernel and open source components, but not of their apps. His point is nobody can see what the app actually does.

[Alex Atkin UK]

19 minutes ago, Kilrah said:

They have to publich the source of the kernel and open source components, but not of their apps. His point is nobody can see what the app actually does.

Apologies, I completely misread that to mean the opposite of what he said.  DOH!

[TechyBen]

3 hours ago, Sauron said:

Source: https://labs.f-secure.com/archive/alexa-are-you-listening/

 

Apparently all 2015 and 2016 Amazon Echo devices are vulnerable to a physical exploit that allows an attacker to gain root access to the system. The exploit (detailed in the source) is fairly trivial to take advantage of and leaves no trace. It uses the exposed debug pads on the Echo's logic board to boot the device off of an SD card, which is then used to take control of the firmware (effectively a Linux based system).

 

 

The setup might seem impractical but consider that the wires are only there for the researchers' convenience - one could easily construct an adhesive breakout board and attach it to the debug pads or find some other way of connecting to the pads without soldering.

 

There is no fix you can implement on a vulnerable model, however the issue has been resolved with the 2017 release; here's how you can check if your device is vulnerable:

The attack requires physical access so it's not as bad as it could be, however, as the researchers pointed out, this poses a big risk for public deployments such as hotel rooms.

My opinion:

Don't buy devices that require an open microphone to work and don't publish their source code. If you go to a hotel with an Echo device in the room, disconnect the power - even if it's post 2017; just because it's not vulnerable to this attack doesn't mean it's not vulnerable to undiscovered ones. It's just a privacy hazard.

 

-edit-

I should add that this is fairly old news, but since this wasn't talked about on the forums I thought it was worth sharing.

There is a fix... Glue on the pads and don't let your roommate (who also is studying "evil genius hacker" at college) into your room.

[Sauron]

11 minutes ago, 404usrnmntfnd said:

Why the hell did Amazon put debug pads on the final release

Debug pads are often used for individual product testing before they are shipped. The problem here is that the configuration of those pads allows you to boot off external storage, which is definitely unnecessary for quality assessments.

[The King of the Undead]

... I feel like if someone got into your house for long enough to do this to a echo you have bigger more imediate problems...

[Sauron]

10 minutes ago, will4623 said:

... I feel like if someone got into your house for long enough to do this to a echo you have bigger more imediate problems...

What about someone staying at a hotel with Echo devices in the rooms doing this and listening in on other guests?

[The King of the Undead]

Just now, Sauron said:

What about someone staying at a hotel with Echo devices in the rooms doing this and listening in on other guests?

I mean that is a different can of worms because just implant a microphone whether or not it is fixed.

[Sauron]

3 hours ago, will4623 said:

I mean that is a different can of worms because just implant a microphone whether or not it is fixed.

Yes, but that would be much harder to hide, power and connect to the internet in a reliable way. This is something literally anyone would have the means of doing, it doesn't require expertise or any prior preparation other than taking a small and cheap pcb with you.

2 hours ago, 404usrnmntfnd said:

It would be so simple to make it not bootable. It would take like 1 change

Which is why the 2017 model isn't affected.

[Kilrah]

Sounds like a big nothingburger to me, if anything it's cool since you can root it and do other stuff with it. No one's going to come to my place with a programming jig to root my echo without me knowing (not that I have one in the first place).

 

Hotels use a special version that came out after this. If some used the home version before that it was already sketchy since the behavior of the home version was never designed for multiple users changing all the time in the first place.

[ARikozuM]

Why should I go through the trouble of fixing this with SCIENCE! when I could simply reach for the 9mm? 

[Alex Atkin UK]

10 hours ago, Sauron said:

Yes, but that would be much harder to hide, power and connect to the internet in a reliable way. This is something literally anyone would have the means of doing, it doesn't require expertise or any prior preparation other than taking a small and cheap pcb with you.

Which is why the 2017 model isn't affected.

Not really any much harder if you think about it.

 

If you have the time to open an echo and root it physically, then you could equally put a Pi Mini into a none-rootable echo and leech power from the PCB.  Scripting a login to the hotel WiFi isn't that hard and you could always tap off the echos microphone into a USB mic adapter on the Pi.

 

Yes its a little more complicated, but honestly if you are only skilled enough to install an off-the-shelf physical hack then what are the odds you can open up an echo without visible damage or breaking it in the first place?

[Sauron]

2 hours ago, Alex Atkin UK said:

If you have the time to open an echo and root it physically, then you could equally put a Pi Mini into a none-rootable echo and leech power from the PCB.

That isn't untraceable. It also requires soldering and a bunch of material that most likely doesn't fit in the Echo.

Spoiler

2 hours ago, Alex Atkin UK said:

Scripting a login to the hotel WiFi isn't that hard

It actually might be depending on how it's set up. Also I can only imagine how badly the Echo's wifi would interfere with the malicious device.

2 hours ago, Alex Atkin UK said:

you could always tap off the echos microphone into a USB mic adapter on the Pi.

Not necessarily, and remember that the Echo would need to keep working properly for this to have any chance of not being immediately found out.

2 hours ago, Alex Atkin UK said:

Yes its a little more complicated, but honestly if you are only skilled enough to install an off-the-shelf physical hack then what are the odds you can open up an echo without visible damage or breaking it in the first place?

The Echo is quite easy to open, and regardless this isn't about technical prowess on the attacker's part. Using an exploit like this is infinitely more practical than a janky pi 0 wiretap that you have to solder and somehow hide in the extremely small space on the bottom of the Echo, even if it worked.

 

Obviously you can't be sure the room has no hidden microphones in it but that takes effort, money and precise intention whereas this is easier, faster and costs basically nothing to do.

[The King of the Undead]

On 2/11/2020 at 4:43 PM, Sauron said:

Yes, but that would be much harder to hide, power and connect to the internet in a reliable way. This is something literally anyone would have the means of doing, it doesn't require expertise or any prior preparation other than taking a small and cheap pcb with you.

alright but they could hide a microphone anywhere anyway. and then they could have it premade.

[Sauron]

1 hour ago, will4623 said:

alright but they could hide a microphone anywhere anyway. and then they could have it premade.

I guess they could also just kidnap you and torture you until you reveal the information they want. That's not the point. Premade or not it would have a cost, it could be found or thrown away by the cleaning service, it would be hard to power and connect reliably (can't exactly connect it to the power outlets), it probably wouldn't be hard to trace back to you if it were found. That's not something you might want to put the effort in in the off chance that hotel guests say something important. This, on the other hand, is so easy and cheap that it's worth the small time investment.