Speaking to a City of Amazon Echoes

so welcome thanks everybody for showing up on Saturday here this is speaking to a city of Amazon echoes Karl Fossen intro kind of covered all this but I'm a managing consultant over at net spy we've got a table over there I don't think anybody's over at the moment but if anybody wants to talk to me after this I'll be over there we've got such a swag and stuff but over at net spy I do a number of different things wear a lot of different hats but over the last six years I've worked there I've done a variety of network and app pen testing a little bit of mobile stuff we're gonna see a little bit of mobile kind of web

stuff here today and password cracking and social engineering like I said we're a number of different hats do a lot of different things so you can find me on Twitter with @k Fossen these slides will be posted to SlideShare so if anybody wants to snap a photo of that it's just my first initial last name for SlideShare you can find me on the net spy blog this will hopefully be published as a blog within the next couple of weeks here there's still some approval process with Amazon for publicly talking about some of this stuff I finally got approval to actually do this talk I think it was Monday of last week so this is kind of a bleeding edge

for approval stuff but hopefully that'll be up as a blog within the next couple of weeks here and any code that I've written typically ends up in the Nets by github repository so uh quick show of hands here anybody have an echo device at home or an Amazon Alexa enabled type device I've got a couple myself I've got the echo dot there's the tap the show I to be honest I don't know all of the different names they've got a ton of new products within the last even couple of months here but these are just your really handy devices for voice control kind of stuff for those haven't used them or used any of the Alexa enabled

services we can talk about what they can do but you know last count that I saw there's over 11 million devices that have been sold so chances are there's a fair number of devices that are in this audience or owned by people in this audience but I don't work for Amazon I just kind of like their products so what can they do as I said the primary kind of thing is voice control that was moving apparently that's on wheels primary thing is voice control so Alexa do this thing I don't know with the echo dot that we've got at home I say Alexa news now get a nice news briefing while I'm making coffee in the morning or

Alexa turn on the kitchen lights really kind of Handy voice control home automation playing music from Pandora anything like that very similar to any other type of solutions like the Google home device the Alexa and echo devices do the same stuff but one of the newer features within the last year is the ability to contact other people so it can be text messages that you can send from the Alexa app audio messages that you can record from the app and send from devices advice I think you can record them like send a voice memo to somebody from echo to echo and recently phone calling within the last month here they actually introduced calls directly to landlines or cell phones so you

actually do like actual SIP trunking to actually make actual phone calls was just kind of cool having actually got to dive into that yet been a little too busy to actually start pulling that apart and also pretty recently video chat so you can see one of the echo devices here with a screen you can do video chatting with that built-in cameras your privacy concerns aside all that they are kind of interesting devices and fun to play around with so what we're gonna focus on today is primarily the text and audio message side of things primarily what protocols api's are used to do both of those and the interesting things that we can do around that so first things first we

need people to contact one of the things that you do when you set up the echo devices within the Amazon app on your phone is you can actually choose to give Amazon permissions to your contacts and you upload a list of your contacts from your phone this is done with a pretty simple JSON format that we'll look at in a moment but basically you upload the phone numbers the names of your contacts up to Amazon and they go ahead and find the other people that you can talk to we'll go through that whole process in just a moment here but really for each of these requests we're gonna look at in the next few minutes here I was using burp or

burp suite professional as an intercepting proxy so what that means is I ran this burp suite professional on my laptop hooked up to the same wireless network as my phone pointed my phone at that proxy in the configuration settings installed the SSL certificate and that allows me to intercept the communications that go out to Amazon services so when we want to send a text message we intercept that with burp first take a look at it you'll actually see some of these requests and then we go ahead and forward that on to Amazon to do the things that we want to do there's a pretty standard tool for web app or mobile testing if anybody's done

any mobile or web app testing you've probably used burp or another intercepting proxy if you haven't utilized burp or other interception proxies before they have a free version I highly recommend everybody here goes ahead and gives it a try installing the burp certificate on your phones pretty easy to do there's instructions on ports wiggers website it's the company that makes burp but yeah just as a general like auditing of what your applications are doing on your phone you'd be really surprised as to what applications are calling out to the Internet for the little you know fun games that you're playing on your phone you'd be surprised at how many other like ad and content networks these simple games go up to the

Internet to serve up your personal information out to so as just kind of a recommendation for everybody give it a try point your phone at it see what kind of traffic is going through that proxy you might end up finding some interesting stuff like this so this is what the request looks like for uploading your contacts and this is going to be a bit of an eye chart especially for people that are a little further off screen here but what we can see is that I've blocked out some pertinent information regarding my account identifier Amazon uses these long goods to identify your account and other people's accounts so in this case making a simple API request to put a JSON list

of contact ID numbers and telephone numbers with first name last name in this case we're putting tests and then whatever the last four digits the phone number is we'll talk a little bit more about that later but basically a simple API request to put out a list of your contacts with your first name last name out to Amazon so they can go ahead and look up these phone numbers to identify who's got an echo device and who you can talk to so on the app side it's gonna look like this so I've uploaded a list of contact information from my phone these are a bunch of people that I know that all have echo devices they're gonna show up

as contacts that I can reach out to within the application so once we've got contacts that we could reach out to and send messages to we can go ahead and send text messages it's pretty simple process you click your contact and say hey I want to send the text message you go ahead and send it this will show up on their echo device with a nice green glowing ring it might be a little confusing the first time you get one of these messages same thing for any notifications like if you have shipping notifications set up for your echo device it will go ahead and you know glow green it's a little confusing it sometimes my hope was that the

text-to-speech message read out that it does when you say Alexa play my messages or tell me my messages I just kind of hope that that would be automatic it doesn't automatically just start yelling stuff out to you this is one of my co-workers Erik who I was hoping would just get the message and just start yelling at him he was a little confused by this said it started blinking so I unplugged it so not everybody's used to getting messages on their echo devices all right so that request is gonna look something like this I apologize for anybody that's further off to the side here but basically what we're looking at is the account that I'm

sending from it's that gooood again the account I'm sending to which I've blanked out purposefully for my own privacy not that I don't want to speak with anybody here but I don't necessarily want to get echo device notifications you know spam doubt to me necessarily so anyways that's just gonna look like this simple JSON message here payload hey this is Carl I'm testing some Amazon stuff I promise I won't spam you over this and the timestamp and notification that it's a text message really simple it's gonna look like this in the application and then you get that nice green glowing light on your echo or echo dot whatever and yes this is a message I sent out to

another co-worker Alex and that's basically what it's gonna look like in the app so sending audio messages this is kind of fun in a number of different ways but basically you can record short audio clips to send back and forth between echo devices so hey it's Karl just saying hi I wanted to send you a message something like that you can record that in the app and then go ahead and send it to the api's and that gets sent out to another echo device well there's message transcription available for this so you can just have it transcribed and it'll show up in the actual app so that you don't actually have to play it which is kind of handy

but we can also do custom audio messages if we're able to intercept these requests so it's more fun part about this so that request is gonna look like this we did include true for include transcript here so that'll put it through the transcribing service so that you get text message listing there we can put false if we want to hide what the content of that message is going to be so it just plays the audio file but what you can see here is the content type in this HTTP request here is audio AAC and you can see here in kind of the file header information here m4a audio so this is basically just recording an

m4a audio track and sending that file up to Amazon to upload to their cloud of stuff so once we have that audio file up in Amazon's Cloud we basically get a media ID and I'm leaving this one purposefully open here if somebody really wants to go ahead and type that out and see if they can access it let me know you'll find out what that is the next message but much like the text message we have our sender ID and the recipient ID and I've removed some other information in here as well but really you just upload your audio file and this you can actually overwrite I you can just go ahead with burb select over all

of this file information here and then paste from file and you can go ahead and paste your own m4a file so that's what we've done here you could put whatever audio recording you want and that can be kind of fun so basically once we have that uploaded we send the link for that uploaded file within the message to a recipient they get an audio message again does not automatically play but does show up in the application it will show up with the green glowing ring on the echo so this one was kind of fun and totally mature of me and my coworker here but yeah I sent Alex message saying I'm gonna you know send you some

messages about this so he responded no problem let her rip or let it rip so the mature response here is to send a fart noise so went out and found m4a audio for that sent that to him and he responded with I hope that was real so thanks to Alex for accepting all of these messages dealing with me so what can we do with this we understand how the text messages text messages are sent how the audio messages are sent and how we can enumerate contacts now legitimately sure you could upload all of your regular contacts people that you actually know and try to figure out who has an echo device well we could also

try and make some new friends out around Portland there's two different primary area codes for Portland 503 and 971 the exchanges are the xxx part of those phone numbers so you've got your area code you've got an exchange and then you've got the four digits for a phone number between the two area codes five oh three and nine seven one you have eight hundred exchanges per area code so that equals sixteen hundred exchanges meaning you know 503 3 2 3 whatever 1600 total exchanges between both of those area codes so that makes up for a lot of potential phone numbers 16 million potential numbers to be exact you've got 10,000 numbers per exchange because they're four digits zero zero

zero zero all the way through 9999 we've got 10,000 options there so how do we go about trying to go through all 16 million of those numbers well we could use Google contacts we did look at that previous JSON upload everything in that and I don't know if I have yeah so actually with Google contacts they limit you at 25,000 contacts per account I actually have a source on that if anybody wants to see that but when we looked at that previous response or that previous request here for uploading contacts it's it's all serialized so everything's tagged and what you can see here and again apologize for that side of the room or it's a little bit harder

to see you have a device contact ID so the top one we can see here is 25 8 to 8 that may or may not mean that I've uploaded twenty five thousand eight hundred and twenty seven contacts prior to that uh but anyways as I said I you know it's serialized so that you've got that device contact ID that gets sent there you've got your phone number and you kind of iterate through that you could automate all of this through burp with the intruder functionality it's really handy way of just iterating through a bunch of different numbers since there were a couple of different spots we had to iterate through I figured it would just be easier to go

ahead and just upload contacts for Google so I'll walk you through that okay so within Google as I mentioned you're limited to 25,000 contacts per account what I did and I actually did this for a different area code but here's a good example for 503 basically just created a contact spreadsheet of Google contacts to import ours 503 2 3 5 and then all four zeros and using some Excel spreadsheet magic with a CSV just iterated all the way down to 90 99 and filled out the rest of those numbers so per contact upload you could do twenty-five thousand at a time you could cover two and a half exchanges per upload of contacts which would mean you

need about six hundred and forty rounds of uploading your contacts up to Amazon with this method you could probably just automate that to I don't know exactly how many they cap on the actual JSON format but anyways you can probably speed that up a little bit if you used intruder that question yep so the question was could you set up a bunch of contacts upload them delete them and then upload twenty five thousand more yes so that's actually the process that I ended up doing with some of this was uploaded an entire exchange and then basically deleted those Google contacts from my phone signed out of the application if you're signed back into the application it will prompt you again

to upload your contacts and then you can go ahead and reload so yeah like I said six hundred and forty rounds to cover all 16 million numbers in the Portland area for those two exchanges now granted there's a fair number of people that have moved in from out of state that may not have either one of those exchanges or either one of those area codes myself I actually have a six one two number I moved from Minneapolis a couple years ago and didn't want to change phone numbers so kind of guilty of that myself but this actually generates a ton of requests to Amazon right we're trying to look up 16 million numbers within the

echo infrastructure they're going to notice they have detective controls in place to identify hey you know there's potential that if somebody's trying to enumerate all of these different phone numbers so for proof of concept as I was identifying this and this whole discussion actually kind of came out of a rain SEC discussion you know who's familiar with rain secures local security group meetup I frequent that pretty regularly so you can typically find me there but we were talking about you know what we could potentially do with this and talked about uploading contacts and the next day went back home and tried this with my six one two range basically in the Google contacts import here we just have a first name of test a

last name of test and then whatever the last four digits are of that phone number that I'm uploading so 6 1 2 1 2 3 all zeroes that way I could tie it back to what the actual phone number was because it's kind of hard to pull that out of the app and then uploaded those to Google so within my 6 1 2 range which is a cell phone range for kind of northern Minneapolis I was able to find 65 different devices in that one kind of scan of that specific range so there's definitely potential to enumerate a number of different echo devices there let's see here oh one note on this if you were to do this and I would

recommend against that this will actually significantly slow down your echo devices if you upload 25,000 contacts and Amazon your echo device actually thinks you have 25,000 contacts so I only had like 15 actual contacts in here before added another 65 so we're looking at 75 real contacts but my echo thought that I had 25,000 phone numbers it had to keep track of this basically slowed my echo devices down to a crawl you would say Alexa give me the news and then five seconds later it would finally bring me the news so just more of a heads up if you have a ton of contacts on there it can really slow down to the device it also annoys other people in

your household that may be utilizing the echo devices to say turn on lights or anything like that yeah so at this point we have roughly a city's worth of echo devices knowledge of the messaging protocols text and audio message and a moral obligation to do the right thing and I won't asking me to raise hands but there may be other CIS SPS in the room but I've worked with some people in the past we're very strict with adhering to the is C squared code of ethics I try to myself but yeah I do have a moral obligation to do so so I worked with Amazon to disclose all of this information I initially disclosed this back in June

they implemented a couple of the features in line the call blocking feature which will talk about mitigations in a section in a second didn't actually have anything to do with me but they implemented that pretty soon after that and then I finally got approval to do this what all of eleven days ago something like that so they've been a great team to work with just for the record the people that I've worked with over at Amazon for disclosing this have been really cool about that I kind of a note on that there is some additional stuff that they're still kind of working on that I can't necessarily talk about in this talk so I apologize

about that but hopefully that'll come out in the blog post in the future here so just a couple of notes on mitigations for this you know I can leave it up to you to kind of figure out what you could potentially do with all of this information we've talked about I can't tell you exactly all the bad things you could potentially do with all of this but I think people can kind of put two and two together here anyways Amazon already has detective controls in place to identify people that are trying to enumerate numbers through specific exchanges additionally you can block messages and calls from unwanted senders this actually came out of a completely different scenario so you know we showed

you all right you upload a phone number it matches it to an echo device Amazon gives you the ability to reach out to that echo device and make phone calls well let's say that you have somebody in your life that you don't want to speak to but they happen to have your phone number they could potentially upload your phone number lookup your echo device and contact you through that so initially they didn't actually have options to block numbers Amazon actually implemented that mid June so it's definitely a very good thing because you know either unwanted messages from somebody you don't know or from somebody you do know you can definitely block those through the Alexa app one of the

things they are currently working on is enabling cert pinning for all of the API calls so pretty much everything we showed you intercepting with burp all of those API requests everything like that they did not have certain required so basically requiring a specific SSL certificate to allow communication between the ocation and Amazon there are some bypasses for that but it would be at least a barrier to entry to actually get to those API calls and reverse all of that so that's something are currently working on well another thing that was kind of a recommendation on my side was limiting the reception recipients of an audio message so the wonderfully mature fart message that we sent out to Alex

earlier in the presentation here that could actually be potentially sent out to other recipients because it's just a file blob that you're sending a link to within the messaging API so you could potentially reuse that to send to another recipient so this would kind of require people to re-upload audio files as part of that kind of slow people down so quick thanks thanks for everybody at rainstick that I kind of talked through the initial ideas of this with gave me some really good ideas as to what direction to take this thanks to everybody here at besides PDX for having me speak here and for showing up today specifically my Nets by coworkers Eric Alex and Chris who all had EKKO devices

and put up with a ton of messages from me we also kind of fuzzed on other stuff like cross-site scripting or you know other types of links and other things that we could send through the actual api's and they dealt with a ton of messages from me on that side so thanks to them Tom and Carrie over at Amazon security for working with me through the disclosure process they've been really really helpful and worked with me to get approval for all of this went over slides and everything and been very very helpful there and thanks to my wife for dealing with the incredibly slow echo devices for a couple of weeks while I was doing this I think she was a little

upset when you know she tried to turn on the kitchen lights and it takes five seconds and you're just standing in the dark waiting for the kitchen lights to turn on and like oh I'll just hit the switch so thanks to her I think I've got a couple minutes left here does anybody have any questions

you