Latest in Gear

Image credit:

Amazon Echo Show falls victim to an old flaw at hacking contest

It illustrates the 'patch gap' that allows attacks on many smart devices.
Jon Fingas, @jonfingas
November 10, 2019
Share
Tweet
Share

Sponsored Links

Nicole Lee/Engadget

The latest iteration of the Pwn2Own hacking contest just underscored an all-too-common flaw with smart home devices. The security research team Fluoroacetate hacked into an Amazon Echo Show 5 by taking advantage of its "patch gap" -- that is, its use of older software that had been patched on other platforms. Brian Gorenc, the director of contest host Zero Day Initiative, explained to TechCrunch that the smart screen uses a not-so-current version of Google's Chromium browser engine that leaves it vulnerable to attacks. Fluoroacetate exploited this out-of-date code by using an integer overflow JavaScript bug to hijack the device while it was connected to a malicious WiFi network.

The patch gap was a "common factor" in many of the Internet of Things hacks at the contest, Gorenc added.

This was the first time contestants could target devices in the Home Automation category, and there were a number of firsts beyond that. Fluoroacetate also compromised a Sony X800G TV (the first television target for Pwn2Own) through a JavaScript flaw in its web browser, while Team Flashback cracked the first router by using a buffer overflow to gain control of a Netgear Nighthawk R6700 router. Not everyone was successful, though -- a Facebook Portal withstood hacking attempts.

Amazon said it was "investigating" the Echo Show 5 hack and would take "appropriate steps" to safeguard its devices, although it didn't elaborate on what it would do or when. It's safe to say the result illustrated the security risks involved in making smart home devices. Companies may have to fork software (and thus add extra work) to optimize it for connected devices, but that can also introduce flaws if developers aren't committed to keeping that special code up to date.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The 2020 Engadget Holiday Gift Guide

The 2020 Engadget Holiday Gift Guide

View
The Arecibo Observatory's telescope has collapsed

The Arecibo Observatory's telescope has collapsed

View
The second-gen Eve V may take on the Surface Pro again in 2021

The second-gen Eve V may take on the Surface Pro again in 2021

View
Watch the trailer for Studio Ghibli's first fully CG movie

Watch the trailer for Studio Ghibli's first fully CG movie

View
The Snapdragon 888 is Qualcomm's latest premium CPU for smartphones

The Snapdragon 888 is Qualcomm's latest premium CPU for smartphones

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr