Amazon Echo Rooting
Description
The Amazon Echo is an 'always listening' smart speaker utillising Amazons Alexa Amazon Services (AVS).
The device is vulnerable to a physical attack that allows an attacker to gain root access to the underlying Linux operating system.
Impact
An attacker with physical access could deliver malware onto the device which would grant them persistent remote access and the ability to stream live microphone without altering the functionality of the device or leaving physical evidence of tampering.
Such a vulnerability raises a number of privacy concerns about 'always listening' devices which is important to customers and their trust relations with Amazon.
Cause
This vulnerability is due to two hardware design choices of the Amazon Echo:
- Exposed debug pads on the base of the device
- Hardware configuration that allows for the device to be booted from an external SD Card
The exposed debug pads are easily accessible on the base of the Amazon Echo exposing both UART and connections for an external SD Card. The hardware is configured such that the device will attempt to boot first from this exposed SD Card before the internal memory.
Solution
The SD Card pads on the 2017 edition of the Amazon Echo have been disabled preventing the device from being booted externally.
As this is a hardware fix 2015 and 2016 devices will remain vulnerable.
Vendor Response and Recommendation
"Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date." - Amazon
Technical details
Please refer to the attached advisory and complementary blog post.