Two security researchers have scooped a top prize of $60,000 in the Pwn2Own contest, after hacking into an Amazon Echo speaker. Amat Cama and Richard Zhu were able to penetrate the security of the Amazon Echo Show 5, using a technique referred to as and integer overflow exploit.
Annual hacking contest
The attack on at the Amazon Echo was part of the hacking contest, held annually at the CanSecWest security conference in Vancouver, Canada, and involves a vulnerability in the browser associated with the speaker system. The hacking experts noticed that the Amazon Echo relies on a dated version of Chromium, the open-source browser that Google has developed, and that this made the speaker system vulnerable.
This bug in the system then enabled the researchers to take complete control of the device once it was connected to a malicious Wi-Fi hotspot. And this was enough for Brian Gorenc, director of Trend Micro’s Zero Day Initiative, to award victory in the Pwn2Own contest to the Amazon Echo research team.
Gorenc told TechCrunch that “this patch gap was a common factor in many of the IoT devices compromised during the contest.” And the vulnerability will certainly raise eyebrows among owners of Amazon Echo devices.
Amazon has already responded to the issue, indicating that it is fully investigating the research, with the manufacturer of the account device, indicating that it will be taking appropriate steps to beef up security imminently. However, there is no word on precisely when the measures will come into force.
The Amazon account wasn’t the only device presented to hackers at the show, with a Facebook Portal also being a subject of hacking attempts. However, it was impossible for any of the hackers present to exploit the portal, which will certainly be encouraging for the social media giant.
Cama and Zhu collectively make up Staff Fluoroacetate, and have been working in this field for several years. Acquiring the skills necessary in order to hack into an Amazon Echo requires an incredible investment of time, as the technical knowledge required is extremely detailed.
The Amazon Echo speaker has proven to be by far the most popular of the smart speakers available on the market, in what is an increasingly important technology niche. Sales of the Amazon Echo have been extremely encouraging, with the smart speaker currently accounting for around 70% of the overall market, ahead of rivals from Google and Apple, among others.
An integer overflow bug involves an anomaly in mathematical operations used by the Amazon Echo system. Currently there are safety implications associated with this problem, and it will be interesting to see what Amazon produces in the near future in order to paper over this crack.
With researchers having already raised privacy concerns with regard to the entire smart speaker concept, the success of the hackers will undoubtedly pose further questions for manufacturers of such technology.