Amazon Echo Update 567200820 (And where to download it!)

I received an email from Ronald Brakeboer about an update to the Amazon Echo Dot system. He noticed that his unit updated to 567200820. I wasn’t tracking this and unfortunately didn’t have a copy of the update. It was recent so I decided to pick up another unit and hope that it still needed the update. I could then do what I did previously to download the update for analysis. (I could also unplug the unit and keep it in storage to capture future updates as well.)

Sure enough, the plan worked. I’ve posted a screenshot of the capture along with the download URL and some checksums. I hope it helps!

screenshot-from-2017-02-17-10-34-12

Download & Checksums

http://amzdigitaldownloads.edgesuite.net/obfuscated-otav3-9/d764b52fbcff62904cdef78a951a5636/update-kindle-full_biscuit-272.5.6.7_user_567200820.bin

This URL once again works with wget. You don’t have to spoof user-agent strings or anything of that nature. 🙂

SHA1(update-kindle-full_biscuit-272.5.6.7_user_567200820.bin)= 824b94a9664cede9eb2f49ab312fcf66857405ca
SHA512(update-kindle-full_biscuit-272.5.6.7_user_567200820.bin)= a771c05054d33b3e53df4c2a63bdd9a9eda7fbadc11217cb8013bbfa712513f239228f093db72960f5577ed983949dcbf65188850052aafd9776c56bccca6d0a

Additional Reading

If you haven’t yet read my Amazon Echo Dot System Image post then check it out. It goes into greater detail as to what I did. Always feel free to email me of course. Thanks!

Amazon Echo Update 567200820 (And where to download it!)

Vintage Computer Ads

This past weekend I watched the final season of Mad Men. It inspired me to check out some vintage computer advertisements. One site in particular has a nice collection: http://www.vintageadbrowser.com/computers-and-software-ads

A few stand out but I’ll leave it to you to have a favorite. There’s beautiful imagery and a style that seems to have been lost. RiotPSA has to find it’s identity and I think these ads provide great inspiration. Hopefully I can incorporate them (or at least the spirit of them) into future awareness campaigns and announcements.

Vintage Computer Ads

Thought-and-Run

Today I am especially inspired by those around me. 🙂


The availability and accessibility of public spaces are essential for peaceful assembly and freedom of association. In a nutshell: This is why Net Neutrality matters. It provides the public space required for those freedoms to be exercised virtually.

Thought-and-Run

Amazon Echo Dot System Image

My friend sent me a second generation Amazon Echo Dot as a holiday gift. It sounded like a good little opportunity to get the ball rolling on some modeling for RiotPSA. Plus I really wanted one!

I began by capturing Dot network traffic just to see what’s going on. I set up a port mirror on a little 5 port switch to capture all of the Dot traffic. I ended up using tshark for ring buffers. The goal was to capture the initial setup of the Dot and then about an hour of no activity. I would keep the Dot connected but I would not say the Dot trigger word. (The default is Alexa.) After only a few minutes I had captured over 250MB! Something fun was going on.

My suspicion was that the Dot downloaded and applied a system update. This turned out to be true.

Using Wireshark

After the hour of capturing I used Wireshark to do a quick analysis of the data. I gravitate to sorting and filtering. I sorted conversations by bytes in Statistics > Conversations. The majority of IPv4 data (about 270MB) was between the Dot and 72.195.165.64.

wireshark_topconI filtered by right-clicking the conversation and selecting Apply as Filter > Selected > A <-> B. In the Wireshark packet list pane I checked out the traffic and decided to filter on the Stream Index of 29.

tcpstream29A nice, clean conversation. 🙂 There was a successful three-way handshake between the Dot and the remote host (72.195.165.64) followed by an HTTP GET request for a file named update-kindle-full_biscuit-272.5.6.4_user_564196920.bin. (I found out that 564196920 is the software version number from https://www.amazon.com/gp/help/customer/display.html?nodeId=201602210.) I copied the full request URI from frame 3546 (http://amzdigitaldownloads.edgesuite.net/obfuscated-otav3-9/1b9718ec2da663bb299676df977055c9/update-kindle-full_biscuit-272.5.6.4_user_564196920.bin) and used wget to download the file.

wgetIt worked! I didn’t have to specify a user agent, spoof any information, etc. (And now you have a way to download the system image for analysis as well!)

I wanted pull the same file out of the pcapng file. I exported the stream using right-click > Follow > TCP stream > Show data as RAW (drop-down list) > Save as… and saved it as ~/tcpstream29.raw. This export should include the HTTP GET request. xxd confirms it’s presence.

xxd_tcpstream29_1At this point we just want the file. The offset we’re looking for is easy to pick out due to a pretty recognizable file signature shortly after the ASCII keep-alive. (0x504b0304) A carver would be handy but the PK allows me to eyeball it.

xxd_tcpstream29_2I used a hex editor (Bless) to dump everything before offset 0x243.

bless_tcpstream29It’s dead simple. Highlight what we want to remove and hit delete. I saved it as ~/tcpstream29_edited.raw. This file should be identical to the one I downloaded earlier with wget, which I verified by hashing each and comparing them. In case it helps the hashes are below:

  • SHA1(update-kindle-full_biscuit-272.5.6.4_user_564196920.bin)= e897fef9384220cb60bd6f385c328f57408cd5f5
  • SHA512(update-kindle-full_biscuit-272.5.6.4_user_564196920.bin)= cc92c85e08ce412dfbe14562e8df76cdd600da60d3f9245decabb9d65e92b473d07db11559a8b2ffe56e525d0050245dfd0d2c1d0dd23e47d14dee9dd911b01a

Inside

I loaded the file into X-Ways so I could explore, filter, comment, etc. This quickly led to enough information that warrants its own post. Because of that I won’t go over everything here but will instead save it for a separate post. It is worth noting some things that stuck out from the get-go:

  • The Dot runs Android or at least a modified version of it.
  • There’s a bash script for iptables firewall configuration. There is an initial flushing of the tables and a default deny is put in place after. I will look at the rules and scan against them to verify that the script is ran once I enter a more active phase of information gathering.
  • The Dot also implements bluetooth blacklisting to specifically prevent automobiles from automatically pairing with it.
  • The system update comes with two firmware packages for integrated components. I’ll run these through strings, binwalk, and bulk_extractor to see if anything fun comes up.

Again – I’ll go over these items (and more) in follow-up posts.

Thoughts of an Echo Dot compromise

The idea of fully compromised an Amazon Echo Dot crossed my mind. Here are a few thoughts I have.

Alter the system update to suit your goal

Altering the firewall bash script and including binaries in a repacked copy of the update is possible. If the Echo Dot does not require that system images be digitally signed then the system update has a chance at being loaded/ran on an Echo Dot if presented correctly. I don’t know if the system packages are digitally signed of if signing is required. Absence of evidence is not evidence. Right now I just do not know because I haven’t looked.

Trick the Echo Dot into downloading and running a bad update

I believe I traced down the TCP conversation in my capture file that alerted the Echo Dot that an update was available and where to find it. I started at the tcp.stream of the system update download itself and worked backwards using the IP addresses, DNS queries/answers, etc. Unfortunately (or fortunately really) the TCP stream of interest contains an encrypted conversation. I can not see inside it to verify.

Effort and insight would be required to discover how the Echo Dot is specifically told an update exists. More would be needed still to manufacture a way to trick an Echo Dot into downloading and running a system image not created and made available by Amazon. Later on I’ll be using The OWASP Zed Attack Proxy (ZAP) and the Burp Suite to work on this.

A vulnerability in a listening process

The Echo Dot has a firewall with a deliberate set of rules. Bugs are organic to the development process and it’s possible that a permitted, listening process has a vulnerability. Keep in mind that the thoughts above are anything but unique to the Amazon Echo Dot. This is basic stuff.

Why so much has not been done

I’d love to explore the system update more but the spring semester of college just started and my hands are full. Being an older, non-traditional student means that I’m taking classes a little more seriously and likely putting unnecessary pressure on myself. I’m taking 19 credits and need to focus on starting the semester on the right foot!

Hopefully in the coming weeks I’ll have more time and resources to look more into this system and network traffic. Until then I realized that there wasn’t any reason to not share the system update, specifically the download link. I couldn’t find it on Google so I figure it just hasn’t been posted yet.

I’ll be sure to update the blog when I explore the system update and network traffic some more. Thanks!

Amazon Echo Dot System Image

Hello, RiotPSA!

The second half of 2016 gave us the Mirai botnet. I didn’t blog about it much, but why would I? I ran a honeypot, made a list of common login credentials, and analyzed some data. This isn’t uncharted territory by any measure. You were much better off reading about Mirai at Krebs on Security (assuming his hosting isn’t fighting off a Mirai botnet attack at the time), Schneier on Security, and the SANS Internet Storm Center.

I presented on Internet of Things (IoT) privacy and security a few times last year and continued to consider what I could do to make a positive difference for society. I recognized that people generally feel helpless and confused when it comes to IoT once they choose to not ignore it entirely. We face these problems together – individuals, customers, manufacturers, political parties, governments – none are alone in this fight, yet we all act like it. (And certainly have different positions and perspectives.) In an effort to have dialogue and share knowledge I determined that the best course of action for myself would be to start an IoT privacy and security non-profit. So I did that.

There’s a problem and it’s…

The Internet of Things. Seriously.

At present, IoT products are generally recognizable and purposefully integrated into our lives. As time progresses and market penetration for those products increases they will go back to being called things – Internet of will provide needless specificity and be dropped. Before a cultural acceptance and transition occurs surrounding IoT is it important that consumers and manufacturers participate in conversations surrounding their privacy and security goals, obligations, and actions.

You shouldn’t have to be an expert in any field to judge if a product is harmful.

I believe that by establishing RiotPSA and creating data-driven awareness campaigns, the frequency of these conversations will increase and will contribute to better technologies, products, and societies.

Being responsible and realistic

The crux of this issue is that I love technology. I love my Apple iPhone, my Amazon Echo Dot, my Anova Sous Vide… the list goes on. RiotPSA’s goals do not include scaring the public or avoiding the benefits of technology. RiotPSA embraces the future to help it have the best possible outcome.

The future and what we can do

A focused case-study of a device

Having a focused case study of a device this year would allow us to build a model for future IoT research. RiotPSA exists for everyone and not just technology enthusiasts. Ideally the model created would produce a result that can be communicated through a thoughtful infographic. We will present in a way that attracts public interest. Publishing results in an overbearingly authoritative, condescending, and unapproachable way is counter to the goal of RiotPSA and ultimately destructive to society.

Report carding and reputation metrics

The Electronic Frontier Foundation (EFF) has report cards. I believe a similar system would be useful to most people, although I believe a company/manufacturer reputation system is more beneficial (and practical in terms of resource management) in the long run than having a database of each individual device. Having both would be ideal.

Creating opportunities for manufacturers and service providers

Manufacturers and service providers have a great opportunity to communicate with their customers and they’re blowing it. If we highlight ways they can both inform the customer and improve product experience I believe they will act on it. Their conversation with the customer should not end after purchase. Product and service updates should not only come with an end user license agreement (EULA) but also with a simple document written in an understandable way to broadly highlight product or service changes to consumers. More importantly this document shouldn’t be geared towards elderly people or children – it should be geared towards everyone.

Exiting thoughts

Adventure. ExcitementA Jedi craves not these things. I am no Jedi.

RiotPSA has goals with good people driving them. I am excited about this and the future is an adventure. I often found running my first company to be like jumping off a cliff and building the hang glider on the way down. I expect parts of RiotPSA to be this way. My personal goal is to make a difference – not to just force my beliefs or understanding of the world over and over despite there being no impact. If an opportunity appears I don’t want to miss it. I am entering this with an open mind and an understanding that the world changes.

Hello, RiotPSA!

Bring on 2017!

I haven’t updated this blog as regularly as I would have hoped. There’s a massive amount of digital forensic and information security blogs and I wasn’t quite sure how to differentiate mine. (Or if that was even possible.) Despite me being a generally private person I’m going to change the tone of this blog for 2017. Instead of holding out for rare updates I will post regularly – about once a month – and discuss not only what I am working on at the moment but also what is going on in my life. Last year was excellent for me on a personal level. I would like to share those things.

This month I will be presenting at the Tucson Computer Forensics and Information Security Meetup. If you can make it I would love to meet and see you there! I’ll go over what I found out about the Amazon Echo Dot that I was gifted. If you can’t attend check back here as I will post the information that I will discuss. Thanks!

Bring on 2017!

A Sunday with an HDHomeRun CONNECT

Plex is a great piece of software that makes my life better. They recently announced a DVR feature on their beta channel. It requires hardware – In my case an HDTV antenna that takes over the air signals and makes them available on the local network using DLNA. I settled on the SiliconDust HDHomeRun CONNECT unit that Plex officially recommends.

Yet another cheap, unitasking computer on my network. Oh joy.

I unboxed, connected, and configured the unit on Sunday to watch the evening NFL game on NBC. I had some extra time and decided to learn a little more about the unit.

Is it sending/receiving data from outside of my local network?

I have a portable, managed switch I have set up for basic port mirroring/traffic capturing. I used that setup and captured some traffic with tcpdump. I left to get a sandwich and stopped the capture when I returned. I filtered for data sent to or received from an address not on my local subnet.

root@kali:~# tcpdump -nnq -s 0 -r ~/hdhr01.pcap src net ! 10.0.1.0/24 or dst net ! 10.0.1.0/24 | less

A few pages of traffic showed up with multicasting and UPnP addresses that weren’t filtered out. I eventually ran into the following conversation:

It’s a TCP conversation between the unit and an outside service over port 80. It’s brief and presumably HTTP. Time to check it out.

Why is it doing this?

Using tcpdump for collection and targeted filtering on packet captures is ideal and effective. We did that and now have address and conversation to focus in on further. I can move forward with tcpdump but prefer to use the Wireshark dissectors. The visual layout and features make exploratory searches on targeted data a strength of Wireshark.

I used the Analyze > Follow > TCP Stream option on the conversation. It’s brief and and easy to look at.

The unit scanned for over the air (OTA) channels that it could pick up and checked with a server of HTTP for a list of corresponding of station logos. It also included other information such as device ID, current firmware version, and local IP address.

If I have some time in the future I can use Scapy to send similar information but with an older firmware reported to see if a response is sent to indicate an update.

Is tHE external address embedded in the firmware?

The device is communicating with 45.79.74.97 and it must get that address from somewhere. If it’s not embedded in the firmware then we would expect a DNS query from the unit. We’d also expect a successful DNS answer in response to the query because we know a TCP connection took place.

root@kali:~# tcpdump -s 0 -l -n -r ~/hdhr01.pcap port 53

Boom. We have both the DNS query and the DNS response that we were looking for. The unit queried for ipv4.pool.silicondust.net and was sent 45.79.74.97 in response.

At this point I’m glad that I collected the packets the way I did. Filtering while you collect is ideal but if I filtered out all local network packets it would have resulted the omission of this DNS query and answer. Keeping the traffic relatively controlled by using a mirrored port was adequate.

Why .net and not .com?

I noticed that the DNS query is for silicondust.net and not .com. The URL for all of the product and marketing information about has been from the .com domain. This difference is probably a business decision and nothing more. If we were suspicious and we thought the URL was being used maliciously we could do some sleuthing. A starting point would be to find out if they are both owned by the same entity. A whois lookup may help us with that.

The records match in a way which supports that they are owned by the same organization. The Internet Corporation for Assigned Names and Numbers (ICANN) requires that whois information is accurate and up to date. My government also requires that I leave the tags on my mattress. I think you see where this is going. I’ve never read of whois record authenticity being enforced and I’m certain that people lie all the time. So what good are the records then?

If we choose to trust the silicondust.com domain and whois record then we can call the technical contact number provided and ask them if they also own or trust the .net TLD. This is not a complete or perfect solution but if this particular thing bothered you it’s one of many things you could do.

About that firmware…

If the tcpdump filter did not yield the DNS query and answer I would have downloaded the firmware of the unit from the manufacturer’s website and ran stringsbulk_extractor, binwalk, etc. against it. This would be an effort to show that the address was embedded.

Thinking about how things did turn out though – Should I expect to see ipv4.silicondust.net pop up since it’s the hostname used to check for firmware updates? I would think so but I just can’t support the claim. Yet.

I say that because I walked through the OWASP IoT Firmware Analysis guide with the unit firmware and didn’t have any success. I did test the same guide with a DD-WRT image just to make sure that I wasn’t doing something wrong. It worked. I’ll have to spend some time to figure out what the hold-up is with the SiliconDust firmware. Perhaps I am missing something obvious.

This part quickly became the most fascinating to me. It would be fun to be able to yank that hostname string out of the firmware and have better knowledge to explore future blobs of data where I think a string may be hiding. I’m definitely going to continue with this part.

End of the Day

This was my early Sunday afternoon. It’s nothing hardcore but was still a fun little thing. I did eventually get around to using the hardware to watch some football.

A Sunday with an HDHomeRun CONNECT