IoT Penetration Test - Amazon Echo Dot (2nd Gen)

Gathered objectives and defined scope. Established rules of engagement including authorised testing parameters and communication protocols.

Performed reconnaissance, Nmap TCP and UDP scanning, and enumeration. Identified open ports: TCP 1080 (socks), 8888 (sun-answerbook), UDP 1080 (socks), 5353 (zeroconf/mDNS). Collected information on services, software versions, and network behaviour.

Validated vulnerabilities through exploitation. Conducted UDP flood on port 5353 (successful DoS), ARP spoofing MITM via Ettercap, SSL pinning bypass on the Alexa Android app using Frida, APK decompilation with APKTool to discover hardcoded API keys, and device storage forensics using Paraben.

Documented all findings including confirmed vulnerabilities, exploitation results, failed attempts, and company strengths. Provided actionable recommendations mapped to CVSS v3 scores.

Port 5353 (UDP/mDNS) was vulnerable to flooding. Using hping3 (hping3 -2 --flood -p 5353 192.168.0.30), the device became unresponsive under high-volume UDP traffic. TCP SYN flood on ports 1080 and 8888 was unsuccessful, indicating effective TCP DoS mitigation. CVSS: 6.2.

APK decompilation with APKTool revealed an API key hardcoded in the AndroidManifest.xml file. Forensic analysis using Paraben also identified encryption keys for local SQLite database and delegate token storage in local storage. CVSS: 4.3.

The Alexa app used jQuery 3.4.1, which has known CVEs including Prototype Pollution (CVE-2020-11022, CVE-2020-11023). Could allow XSS or unintended code execution if user-controlled input is processed insecurely. Remediation: update to jQuery 3.7.1.

The Amazon Alexa web interface lacked X-Frame-Options and CSP frame-ancestors headers, allowing the page to be embedded in a malicious iframe. Demonstrated via a proof-of-concept HTML page embedding the Amazon sign-in endpoint. CVSS: 3.1.

Successfully performed ARP spoofing between the Echo Dot and the router using Ettercap. Traffic was intercepted and analysed in Wireshark. However, all communications were encrypted with TLS 1.2, preventing extraction of meaningful data.

SSL pinning on the Alexa Android app (com.amazon.dee.app) was bypassed using Frida with the universal SSL pinning bypass script from CodeShare. Traffic was subsequently intercepted via Burp Suite. API endpoints were found to be well-secured with proper token handling.

Physical disassembly of the Echo Dot was performed. Most components were accessible, but the System on Chip (SoC) was securely glued to the board, preventing hardware-level attacks without specialised tools. Specs observed: 64-bit Quad-Core MediaTek, 512MB LPDDR3 RAM, 4GB NAND Flash, WiFi 802.11a/b/g/n, Bluetooth 4.0.

Mapped the full data flow: voice input captured by the 7-microphone array, sent to AWS for NLP processing, routed to local device, third-party services (Spotify, Google, weather APIs), or AWS Cloud depending on command type. Response delivered via AWS TTS.