Latest in Gear

Image credit: Nicole Lee/Engadget

Amazon Echo Show falls victim to an old flaw at hacking contest

It illustrates the 'patch gap' that allows attacks on many smart devices.
175 Shares
Share
Tweet
Share
Save

Sponsored Links

Nicole Lee/Engadget

The latest iteration of the Pwn2Own hacking contest just underscored an all-too-common flaw with smart home devices. The security research team Fluoroacetate hacked into an Amazon Echo Show 5 by taking advantage of its "patch gap" -- that is, its use of older software that had been patched on other platforms. Brian Gorenc, the director of contest host Zero Day Initiative, explained to TechCrunch that the smart screen uses a not-so-current version of Google's Chromium browser engine that leaves it vulnerable to attacks. Fluoroacetate exploited this out-of-date code by using an integer overflow JavaScript bug to hijack the device while it was connected to a malicious WiFi network.

The patch gap was a "common factor" in many of the Internet of Things hacks at the contest, Gorenc added.

This was the first time contestants could target devices in the Home Automation category, and there were a number of firsts beyond that. Fluoroacetate also compromised a Sony X800G TV (the first television target for Pwn2Own) through a JavaScript flaw in its web browser, while Team Flashback cracked the first router by using a buffer overflow to gain control of a Netgear Nighthawk R6700 router. Not everyone was successful, though -- a Facebook Portal withstood hacking attempts.

Amazon said it was "investigating" the Echo Show 5 hack and would take "appropriate steps" to safeguard its devices, although it didn't elaborate on what it would do or when. It's safe to say the result illustrated the security risks involved in making smart home devices. Companies may have to fork software (and thus add extra work) to optimize it for connected devices, but that can also introduce flaws if developers aren't committed to keeping that special code up to date.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
175 Shares
Share
Tweet
Share
Save

Popular on Engadget

The 2019 Engadget Holiday Gift Guide

The 2019 Engadget Holiday Gift Guide

View
Motorola's revived RAZR is a fashion-forward foldable

Motorola's revived RAZR is a fashion-forward foldable

View
Mark Wahlberg is poised to join the 'Uncharted' movie

Mark Wahlberg is poised to join the 'Uncharted' movie

View
John Carmack takes a step back at Oculus to work on human-like AI

John Carmack takes a step back at Oculus to work on human-like AI

View
NASA renames Kuiper Belt object following controversy

NASA renames Kuiper Belt object following controversy

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr