Latest in Gear

Image credit:

Amazon Echo Show falls victim to an old flaw at hacking contest

It illustrates the 'patch gap' that allows attacks on many smart devices.
Share
Tweet
Share

Sponsored Links

Nicole Lee/Engadget

The latest iteration of the Pwn2Own hacking contest just underscored an all-too-common flaw with smart home devices. The security research team Fluoroacetate hacked into an Amazon Echo Show 5 by taking advantage of its "patch gap" -- that is, its use of older software that had been patched on other platforms. Brian Gorenc, the director of contest host Zero Day Initiative, explained to TechCrunch that the smart screen uses a not-so-current version of Google's Chromium browser engine that leaves it vulnerable to attacks. Fluoroacetate exploited this out-of-date code by using an integer overflow JavaScript bug to hijack the device while it was connected to a malicious WiFi network.

The patch gap was a "common factor" in many of the Internet of Things hacks at the contest, Gorenc added.

This was the first time contestants could target devices in the Home Automation category, and there were a number of firsts beyond that. Fluoroacetate also compromised a Sony X800G TV (the first television target for Pwn2Own) through a JavaScript flaw in its web browser, while Team Flashback cracked the first router by using a buffer overflow to gain control of a Netgear Nighthawk R6700 router. Not everyone was successful, though -- a Facebook Portal withstood hacking attempts.

Amazon said it was "investigating" the Echo Show 5 hack and would take "appropriate steps" to safeguard its devices, although it didn't elaborate on what it would do or when. It's safe to say the result illustrated the security risks involved in making smart home devices. Companies may have to fork software (and thus add extra work) to optimize it for connected devices, but that can also introduce flaws if developers aren't committed to keeping that special code up to date.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Sony indefinitely delays ‘The Last of Us Part II’

Sony indefinitely delays ‘The Last of Us Part II’

View
NASA successfully deploys the James Webb Telescope's enormous mirror

NASA successfully deploys the James Webb Telescope's enormous mirror

View
Nikon is streaming online photography courses for free this month

Nikon is streaming online photography courses for free this month

View
NASA's iconic 'worm' logo will adorn the Falcon 9 Crew Dragon rocket

NASA's iconic 'worm' logo will adorn the Falcon 9 Crew Dragon rocket

View
Amazon's latest Blink camera costs just $35

Amazon's latest Blink camera costs just $35

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr