Once we had root we examined the processes running on the device and the scripts that spawn these processes. From there, he installed a persistent implant, gained remote root shell access, and ultimately monitored the input captured by the microphone. Barnes used the paper as a starting point for booting into the actual Echo firmware. A previously published research paper already showed how to use an attached SD card to load a generic version of Linux onto a device. To carry out the hack, Barnes removed the device's rubber base and exposed 18 "pads" Amazon engineers rely on to perform various diagnostics. The technique doesn't affect the normal functioning of the Echo and can't be detected without inspecting the network traffic sent by the device. Other commands can steal authentication tokens used to access Amazon or, potentially, other services. "It shows the need for developers to have security assessments of smart devices they develop and for organizations to gain assurance of the security posture of any products they purchase before installing them."īarnes' hack works by gaining root access to a vulnerable Echo and adding commands that surreptitiously capture the raw microphone input and send it to an attacker-controlled computer. "This highlights privacy concerns people have about always-listening devices," Barnes told Ars. And now, following a proof-of-concept hack by MWR Labs security researcher Mark Barnes, those types of threats are a reality millions of Echo users must consider as well. So-called "evil maid" attacks-so named because they're carried out by a house cleaner or other person who has brief access to a target's devices-are valid hacks Microsoft, Apple, and other manufacturers include in their threat modeling. That means people aren't likely to be exposed to such attacks unless they own a 2015 or 2016 device and are a target of interest to the Central Intelligence Agency, a similar nation-sponsored spy group, an advanced corporate espionage operation, or a highly determined stalker. It also requires physical access to the device by a hacker with above-average skills in Linux and embedded hardware systems. To be clear, the hack works only against older models of Amazon Echoes. On Tuesday, attention turned to the Amazon Echo, with a demonstration that showed how hackers can convert some models into devices that can surreptitiously record our most intimate moments. It's a fact of modern life that many of us forget-the phones, computers, and other connected devices we depend on can often be used against us as secret listening devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |