In recent years, virtually every tech company has produced a variety of smart home and personal assistance devices. Russian tech giant Yandex is not an exception and their smart speaker Alisa is present in more than 3 million homes across dozens of countries. Unfortunately due to the closed source nature of most of the smart home devices, users generally have very little insight about the software running on these devices designed to hear you from any corner of your house and their security. In this presentation the path is shown from physical attacks on the device in order to get root by manipulating unauthenticated contents of the NAND flash all the way to getting persistence and recovering private keys for the Over-the-air updates. Additionally a common flaw in the protection of environment variables is shown and used to gain arbitrary code execution in early secure boot stages, decrypt later boot stages, and explore factory debug features.
Sergei Volokitin is a Senior Security Analyst at Riscure in the Netherlands where his work is mostly focused on security testing of embedded systems and mobile devices. He has a number of publications on Java Card platform attacks and conference presentations on hardware security.