Amazon Echo Show falls victim to an old flaw at hacking contest

It illustrates the 'patch gap' that allows attacks on many smart devices.

The latest iteration of the Pwn2Own hacking contest just underscored an all-too-common flaw with smart home devices. The security research team Fluoroacetate hacked into an Amazon Echo Show 5 by taking advantage of its "patch gap" -- that is, its use of older software that had been patched on other platforms. Brian Gorenc, the director of contest host Zero Day Initiative, explained to TechCrunch that the smart screen uses a not-so-current version of Google's Chromium browser engine that leaves it vulnerable to attacks. Fluoroacetate exploited this out-of-date code by using an integer overflow JavaScript bug to hijack the device while it was connected to a malicious WiFi network.

The patch gap was a "common factor" in many of the Internet of Things hacks at the contest, Gorenc added.

This was the first time contestants could target devices in the Home Automation category, and there were a number of firsts beyond that. Fluoroacetate also compromised a Sony X800G TV (the first television target for Pwn2Own) through a JavaScript flaw in its web browser, while Team Flashback cracked the first router by using a buffer overflow to gain control of a Netgear Nighthawk R6700 router. Not everyone was successful, though -- a Facebook Portal withstood hacking attempts.

Amazon said it was "investigating" the Echo Show 5 hack and would take "appropriate steps" to safeguard its devices, although it didn't elaborate on what it would do or when. It's safe to say the result illustrated the security risks involved in making smart home devices. Companies may have to fork software (and thus add extra work) to optimize it for connected devices, but that can also introduce flaws if developers aren't committed to keeping that special code up to date.