When the music stops…

The Amazon Echo vulnerability exposed by MWR highlights the need for manufacturers to consider product security more keenly.

Picture the scene: Having had a stressful day at a company away day, you return to your hotel room and ask your Amazon Echo device to play some relaxing music – Enya, Sade, Metallica perhaps. As you open the exorbitantly-priced bottle of red wine/ antifreeze from the room’s mini bar, your mobile rings. Reluctantly, you pause the music, set down the bottle and take the call from your CFO to discuss your company’s sales performance in the last quarter and whether your budget will allow for any M&A activity in the coming months.

Safe in your hotel room, and not being a bit part in a James Bond film, you feel comfortable discussing such information. But what if the Echo, which was just a few moments ago lowering your blood-pressure with Adele’s dulcet tones, is now recording every word you say and relaying them back to your closest industry rivals or to nation-state saboteurs?

With the rise of devices like the Echo, so too has risen the risk of them being tampered with to the detriment of their owners.

Recent research from MWR has shown that 2016 models of the Echo are vulnerable to a physical attack that allows an attacker to gain access to the device’s Linux operating system and install malware without leaving physical evidence of tampering. Such malware can grant attackers persistent remote access to the device, steal customer authentication tokens, and enable them to stream live microphone audio to remote services without altering the functionality of the device.

Echo Forbes

Watch MWR Security Researcher Mark Barnes explain to Forbes the nature of his hack

While Amazon has fixed this specific vulnerability in 2017 models and beyond, this example points to a wider industry issue on the need to ensure that devices are subject to independent product security evaluations to ensure that issues are identified and can be remediated against.

MWR’s research simply transformed the Echo device into an expensive microphone, but the possibilities for further manipulation are diverse. For instance, compromise of such devices could give intruders access to a user’s network, financial information and account keys for the services to which the device is linked.

Granted, manipulating pre-2017 Echos requires physical access and the scenarios in which one could be targeted are, currently, few. However, product developers should not take it for granted that their customers won't expose their devices to uncontrolled environments such as hotel rooms.

Equally, customers, particularly corporate buyers, need to be aware that the products they buy and deploy might have flaws. Even large, multinational vendors are capable of mistakes, as evidenced here. Organizations that deploy connected devices across their network should obtain third-party assurance that the product maker is implementing sufficient security controls and that using the product is not going to introduce additional risk to their business. 

Ultimately, product recalls and modifications cost businesses dearly. As such, in depth product security reviews can provide an understanding on the product’s security posture and allow the remediation of issues identified, before they are exploited. This can prevent losses in confidence in the product, or for organizations that have deployed a product, compromise.

MWR’s own Security Research division provides product security reviews, involving in-depth investigations of a product or technology to identify security vulnerabilities. 



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.