Advisories

Amazon Echo Rooting

Product Amazon Echo
Severity Medium
CVE Reference N/A
Type Hardware

Description

The Amazon Echo is an 'always listening' smart speaker utillising Amazons Alexa Amazon Services (AVS). 

The device is vulnerable to a physical attack that allows an attacker to gain root access to the underlying Linux operating system.

Impact

An attacker with physical access could deliver malware onto the device which would grant them persistent remote access and the ability to stream live microphone without altering the functionality of the device or leaving physical evidence of tampering.

Such a vulnerability raises a number of privacy concerns about 'always listening' devices which is important to customers and their trust relations with Amazon.

Cause

This vulnerability is due to two hardware design choices of the Amazon Echo:

  • Exposed debug pads on the base of the device
  • Hardware configuration that allows for the device to be booted from an external SD Card

The exposed debug pads are easily accessible on the base of the Amazon Echo exposing both UART and connections for an external SD Card. The hardware is configured such that the device will attempt to boot first from this exposed SD Card before the internal memory.

Solution

The SD Card pads on the 2017 edition of the Amazon Echo have been disabled preventing the device from being booted externally.

As this is a hardware fix 2015 and 2016 devices will remain vulnerable.

Vendor Response and Recommendation

"Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date." - Amazon

Technical details

Please refer to the attached advisory and complementary blog post.

Disclosure Timeline

Date

Summary

15/05/2017

Issue reported to Amazon Security

15/05/2017

Amazon responded with confirmation of the issue

15/07/2017

MWR queried Amazon on the issue status

17/07/2017

MWR found new devices are not vulnerable

24/07/2017

Amazon Lab126 contacted MWR about the vulnerability and to release dates

01/08/2017

Public disclosure of vulnerability and technical blog post