Echo & Alexa Forums

Echo Making Clear Text HTTP Requests

0 Members and 2 Guests are viewing this topic.

dj_skully

Echo Making Clear Text HTTP Requests
« on: October 02, 2015, 05:06:21 pm »
Hi all, I've been doing a research project on the Echo with a focus on analyzing it for security weaknesses. Through some of my passive analysis, I have noticed that the Echo makes requests out to the cloud for various debian packages *.deb files. I can post what I have captured if anyone is interested. Does anyone have an idea why the echo would be constantly pulling these files down? It is a good amount of them and they don't seem to stop really. Updates of some sort? I wonder if I could run a mitm attack and send the echo modified binaries? Probably some kind of signature check but still...

Again, if anyone is interested I can post a sample of the .deb files and the pcaps.

Hooloovoo

Re: Echo Making Clear Text HTTP Requests
« Reply #1 on: October 12, 2015, 02:45:05 pm »
I have done the same. I found that it was pulling .ipk packages instead of .deb packages. The first package it pulls is an index of some sort, and contains URLS and hashes for all of the other packages, and it appears to be downloading these so it can update. I have not let mine finish updating, but I presume it is trying to update to 2723. I have pulled all of the packages down and extracted them, and I now have a fairly complete root file system.

dj_skully

Re: Echo Making Clear Text HTTP Requests
« Reply #2 on: October 13, 2015, 01:09:51 pm »
Interesting! I was not previously familiar with the ipk and they were strikingly similar to .deb packages. None the less, I was able to extract them with dpkg. I probably don't have as complete of a picture of the file system as you do, would you mind sharing what you have? I plan to attempt to solder into the SD card next week so I'll be more than happy to share what I find then!

Also, what are your thoughts on a man in the middle attack? What is the possibility of setting up a proxy in the middle that spoofs update responses and sends the Echo malicious versions of say "wifid" that opens up telnet or something? Is there some reason it would be getting these updates unencrypted?

Hooloovoo

Re: Echo Making Clear Text HTTP Requests
« Reply #3 on: October 14, 2015, 12:32:13 pm »
There is not a chance. I shall send you a manifest file, which should have most of the necessary things in it.

It appears from poking around that all of the packages are cryptographically signed; I haven't looked into how, but it looks strong.

From looking at the things I can see, I think the best bet would be attacking the setup daemon running while in setup mode, or possibly the bluetooth stack on the ancient kernel.

dj_skully

Re: Echo Making Clear Text HTTP Requests
« Reply #4 on: December 05, 2015, 08:29:55 pm »
Hey thanks again for what you sent me. Currently we plan to use some techniques similar to this:

https://www.exploitee.rs/index.php/Interfacing_with_e-MMC_Storage_Devices

And an example:
https://www.youtube.com/watch?v=rWfSyxYMsPA

With this we should be able to read the OS/firmware straight off the device and release it to the community. What do you think?

Hooloovoo

Re: Echo Making Clear Text HTTP Requests
« Reply #5 on: December 19, 2015, 10:38:19 pm »
From looking at the board with a scope, I have come up with the following pinout for the flash chip. much of this is based on assumptions I made about test point numbering and placement, and some preliminary tests with an oscilloscope.

TP160: reset - always high when measured, (could also be power?)
TP161: CLK - mostly low, goes high sometimes while booting
TP162: CMD- mostly high, goes low sometimes while booting

TP163-TP170:Data lines 0-7: based on numbering, and because they are separate on the board from the other three signals

I have not confirmed anything nor have I tried connecting anything.

I will also attempt to download the image when I get a bit more time and the materials.