Article

When the music stops…

Simon Varcoe
5 mins read

The Amazon Echo vulnerability exposed by F-Secure highlights the need for manufacturers to consider product security more keenly.

Picture the scene: Having had a stressful day at a company away day, you return to your hotel room and ask your Amazon Echo device to play some relaxing music – Enya, Sade, Metallica perhaps. As you open the exorbitantly-priced bottle of red wine/ antifreeze from the room’s mini bar, your mobile rings. Reluctantly, you pause the music, set down the bottle and take the call from your CFO to discuss your company’s sales performance in the last quarter and whether your budget will allow for any M&A activity in the coming months.

Safe in your hotel room, and not being a bit part in a James Bond film, you feel comfortable discussing such information. But what if the Echo, which was just a few moments ago lowering your blood-pressure with Adele’s dulcet tones, is now recording every word you say and relaying them back to your closest industry rivals or to nation-state saboteurs?

With the rise of devices like the Echo, so too has risen the risk of them being tampered with to the detriment of their owners.

Recent research from F-Secure has shown that 2016 models of the Echo are vulnerable to a physical attack that allows an attacker to gain access to the device’s Linux operating system and install malware without leaving physical evidence of tampering. Such malware can grant attackers persistent remote access to the device, steal customer authentication tokens, and enable them to stream live microphone audio to remote services without altering the functionality of the device.

Watch F-Secure Security Researcher Mark Barnes explain to Forbes the nature of his hack

While Amazon has fixed this specific vulnerability in 2017 models and beyond, this example points to a wider industry issue on the need to ensure that devices are subject to independent product security evaluations to ensure that issues are identified and can be remediated against.

F-Secure’s research simply transformed the Echo device into an expensive microphone, but the possibilities for further manipulation are diverse. For instance, compromise of such devices could give intruders access to a user’s network, financial information and account keys for the services to which the device is linked.

Granted, manipulating pre-2017 Echos requires physical access and the scenarios in which one could be targeted are, currently, few. However, product developers should not take it for granted that their customers won't expose their devices to uncontrolled environments such as hotel rooms.

Equally, customers, particularly corporate buyers, need to be aware that the products they buy and deploy might have flaws. Even large, multinational vendors are capable of mistakes, as evidenced here. Organizations that deploy connected devices across their network should obtain third-party assurance that the product maker is implementing sufficient security controls and that using the product is not going to introduce additional risk to their business.

Ultimately, product recalls and modifications cost businesses dearly. As such, in depth product security reviews can provide an understanding on the product’s security posture and allow the remediation of issues identified, before they are exploited. This can prevent losses in confidence in the product, or for organizations that have deployed a product, compromise.

Sign up for the latest insights

Accreditations & Certificates
DNV GL

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting fsecurelabs