Researchers have developed a method for getting a root shell on the Amazon Echo and then install a small piece of malware that can transmit live audio from the device to a remote computer or steal user authentication tokens.
The attack relies on having physical access to the Echo and it requires quite a bit of work to execute. The Echo, which is a combination speaker, personal assistant, and shopping device, has a set of hardware debug switches on the bottom, underneath a removal rubber cover. Connecting to one of those pads allowed the researchers to get the configuration information from the Echo, which reveals that it has a three-step boot process. The researchers also found that the Echo will try to boot from an external SD card before attempting to boot from its internal flash memory, allowing them to format an SD card with the boot components needed to boot the device into a command line mode.
Once that was done, the researchers from MWR Labs were able to determine the partition on which the file system sits.
“Now we know which partition we want to boot from we can configure U-Boot to boot from this partition. We also need to change the kernel arguments to mount it as a writable file system and to run /bin/sh rather than the normal startup up scripts,” Mark Barnes of MWR Labs said in a report on the attack. “Once booted a root terminal is presented over UART, bypassing all authentication.”
With that done, Barnes was then able to install a reverse shell script to a specific directory, and then added a line to one of his initialization scripts, which guaranteed the shell would run when the Echo boots. After that, the Echo would connect to Barnes’s remote device on boot up, giving him a root shell on the Echo. Barnes then began looking through the processes running the Echo to see how audio is transmitted between them.
“Using the provided ‘shmbuf_tool’ application developed by Amazon, we created a script that would continuously write the raw microphone data into a named fifo pipe which we then stream over TCP/IP to a remote service. On the remote device we receive the raw microphone audio, sample the data and either save it as a wav file or play it out of the speakers of the remote device. This technique does not affect the functionality of the Amazon Echo,” Barnes said.
The attack that Barnes developed is based on work done earlier this year by researchers at The Citadel, who detailed the functions of the debug pads on the Echo and developed a bootable SD card image for the device. Barnes stressed that his attack only works on Echo devices from 2015 and 2016, as Amazon changed some of the hardware configuration in the 2017 models, preventing the attack from working.