The script’s existence is not proof that it is used but the expanded speculation around it is a fun exercise. The only fact I can give about the /bin/dump-ramdump.sh script is that it exists. (For now.)
I can say something different for another script, firewall.sh, on the system. I audited against it with nmap. I enabled features on the Dot (such as using Spotify to open TCP 4070) to test the script’s execution/logic. The ability to audit the script and observe behavior is crucial. The data supports that the firewall.sh script is used. (More would be better!) The images below are part of that audit; TCP 4070 being open after enabling Spotify and then a quick banner grab.
Unfortunately I’m unable to do the same level of observing with the dump-ramdump.sh script. I can’t knowingly trigger it, I don’t have a way to image an Amazon Echo Dot, and I don’t have a way to remotely connect and monitor it’s activity. The script appears to create new memdump logs in the /data/system/dropbox directory. I would love to know the fate of these logs and anything else in the /data/system/dropbox directory.
If you want a copy of the script you can download the system at Amazon Echo Update 567200820 (And where to download it!). Discovery of this script and other fun within the system happened late last year/early 2017. It’s been fun. 🙂
It’s worth noting that recently ArsTechnica ran the story of Amazon refusing to hand over data on whether Alexa overheard a murder, which puts a good perspective on information one could get (possibly) from Amazon about an Echo Dot user if they were motivated to do so. It’s a continuation of the involvement of an Echo in a murder case from 2016.
I wish I had more time to work on this system. Unfortunately taking 19 credits this semester has proven to be the challenge I was expecting. It’s something I still give attention but not at the level of intensity I would like. Hopefully this summer I can focus on it quite a bit more.
I recently presented for the Tucson Computer Forensics and Information Security Meetup. It was mostly on the content I’ve already talked about here – RiotPSA, Amazon Echo Dot system software, etc. I had told people there that the slide deck would be available.
I dislike slides/PowerPoint/etc. I generally make whatever I’m going to present that same day. I’d much rather talk and have a natural flow and slides are a bit limiting. In the end they’re more for me than they are for you. They keep me on track and guarantee that I don’t miss an important idea. These slides are essentially screenshots missing a ton of information given verbally and through live demo. In short: Please do not judge me based on these slides. They are here only because I promised them. I made them on a Saturday to show people for fun.
You can download the slides (PDF) here.
Special thanks to Mari DeGrazia (Twitter, Another Forensics Blog) for organizing the Meetup. Thanks to everyone who attended. It’s always a ton of fun. 🙂
I received an email from Ronald Brakeboer about an update to the Amazon Echo Dot system. He noticed that his unit updated to 567200820. I wasn’t tracking this and unfortunately didn’t have a copy of the update. It was recent so I decided to pick up another unit and hope that it still needed the update. I could then do what I did previously to download the update for analysis. (I could also unplug the unit and keep it in storage to capture future updates as well.)
Sure enough, the plan worked. I’ve posted a screenshot of the capture along with the download URL and some checksums. I hope it helps!
Download & Checksums
This URL once again works with wget. You don’t have to spoof user-agent strings or anything of that nature. 🙂
If you haven’t yet read my Amazon Echo Dot System Image post then check it out. It goes into greater detail as to what I did. Always feel free to email me of course. Thanks!