The Amazon Echo Show 5 was just one of a number of consumer devices cracked in the Pwn2Own Tokyo 2019 contest over the weekend.
The Echo Show 5 was joined on the security naughty step by two Sony Smart TVs, the Xiaomi Mi9 and the Samsung Galaxy S10 smartphones, and the Netgear Nighthawk R6700 router.
The contest pitted a number of teams in different categories, all competing to demonstrate new security hacks with a pot of up to $750,000 up for grabs, typically for finding and executing remote-code execution flaws. The devices were lined up in broad categories and, in addition to six different smartphones, included wearables, home automation devices, smart televisions from Sony and Samsung, and routers.
Furthermore, the smartphone cracks were broken down in terms of web browser, short-distance networking (such as WiFi, Bluetooth and NFC), messaging and baseband.
In addition to picking up cash prizes of varying amounts, donated by the vendors, teams could also pick-up ‘Master of Pwn Points’, which added together to make an eventual winner.
This year, the Masters of Pwn prize went to Richard Zhu and Amat Cama of Team Fluoroacetate, with the pair earning $60,000 between them taking down the Amazon Echo Show 5, taking advantage of a ‘patch gap‘.
That’s where hackers take advantage of known bugs in software that hasn’t been updated. In this case, a bug in the Chromium browser engine that’s integrated with the Echo Show.
Amazon has claimed that it is investigating the issue and will no doubt rush out a new patch accordingly. The Amazon Echo Show 5 is a personal assistant with a built-in camera, so the lackadaisical security in the built-in, but now outdated, web browser is disappointing.
Nevertheless, the risk of the flaw being compromised in everyday usage is low. The Amazon Echo Show 5 would need to be connected to a rogue WiFi network, which is unlikely for an in-home device that probably sits in one place from the moment it is opened to the day that it gets removed and consigned to landfill.