Amazon’s Echo Show falls foul to hackers at Pwn2Own contest

AMAZON'S ECHO SHOW has fallen foul to the determined efforts of hackers at the Pwn2Own hacking contest. 

Actually, without wanting to do down the efforts of Team Fluoroacetate, maybe not that determined. The hacking team, made up of Amat Cama and Richard Zhu, earned $60,000 in bug bounties for taking down the Echo Show 5, but did so via a patch gap. That's where hackers take advantage of known bugs in software that hasn't been updated - in this case, a bug in the Chromium browser engine that's part of the Echo Show.

Using this outdated version of Chromium, the researchers were able to take over the Echo Show when connected to a malicious WiFi hotspot by exploiting an integer overflow JavaScript bug, the crafty buggers.

Amazon told TechCrunch that it's "investigating this research" and will take "appropriate steps to protect our devices based on our investigation." No timescale was given, but despite this technically being a zero-day vulnerability, it's a pretty unlikely one to be exploited in the wild. How many people do you know that take their Echo Show for walkies, connecting it to risky looking WiFi hotspots?

All the same, it's not a good look using outdated software on the Echo - a product that literally exists to listen in on you for convenience. The Echo Show 5 is even worse in this respect, given it has a camera built-in too.

On that note, there was a surprise winner from Pwn2Own: Facebook Portal. Facebook's smart screen stood unhacked - either because it has incredibly solid defences, or because nobody has one, so doesn't know how to switch it on. In any case, maybe this will help it get some legitimate five-star reviews. µ

Comments are closed.