Amazon Echo Pop (2023)
From Wiki-IoT
Classification
| Amazon Echo Pop (2023) | |
|---|---|
| Classification | |
| Grade | C |
| Calculator version | 1 |
| Classification date | 2025-10-17 |
| Information | |
| Name | Amazon Echo Pop (2023) |
| Brand by Parent | Amazon by Amazon |
| Generation | 4th Generation |
| Model(s) | B09B9WXMLX |
| Release date | 2023-05-31 |
| Type/Category | Smart speaker |
| Website | [1] |
| Status | End of sale |
| More | |
| Dimensions | 99 x 83 x 91 mm |
| Mass | 196 g |
| Operating system | Fire OS 7.5.0.1 (Linux 5.10) |
| Companion App | Amazon Alexa App (iOS/Android) |
| CPU | |
| GPU | |
| Memory | |
| Storage | |
| Battery | |
| Power | |
| Charging | |
| Display | |
| Camera | |
| Sound | |
| Connectivity | |
| Device | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Known hardware tampering | Rare | [[1] https://d1.awsstatic.com/whitepapers/Security/AWS_Security_of_the_Alexa_Ecosystem.pdf [2] https://www.zerodayinitiative.com/blog/2023/3/22/pwn2own-vancouver-2023-day-one-results [3] https://www.amazon.com/gp/help/customer/display.html?nodeId=GKM69PXVVJ5R9UAR] | The debugging pads can only be accessed by dismantling the device, which is rarely seen in daily scenarios |
| Known vulnerabilities | Rare | [[1] CVE-2023-31038 (Pwn2Own RCE, patched) [2] https://www.cve.org/CVERecord?id=CVE-2023-31038 [3] https://securitylab.github.com/research/alexa-voice-service-security/] | There is only one public CVE, and it has been fixed via OTA |
| Prior attacks | Rare | [[1] CVE-2023-31038 (Pwn2Own RCE, patched)] | No large-scale utilization records |
| Updatability | None | [[1] https://www.amazon.com/gp/help/customer/display.html?nodeId=GMLPVBPDR7L7QPWR [2] Automatic silent update, with an average cycle of 28 days] | Forced automatic update, cannot be disabled |
| Category score | 3 | ||
| System | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Authentication with other systems | Partial | [[1] https://developer.amazon.com/en-US/docs/alexa/device-apis/alexa-authorization.html [2] Supports Amazon FR & 3P skill OAuth] | Only strong authentication within the Amazon ecosystem, third-party skills rely on OAuth |
| Communications | Encrypted with up-to-date encryption | [[1] TLS 1.3 + WPA3-Personal [2] https://d1.awsstatic.com/whitepapers/Security/AWS_Security_of_the_Alexa] | End-to-end TLS 1.3 |
| Storage | Encrypted with up-to-date encryption | [[1] AES-256-XTS (Local Voice Cache) [2] Cloud AES-256-GCM] | Encrypted storage of audio clips in the cloud |
| Category score | 2 | ||
| User Authentication | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Account management | Full | [[1] https://www.amazon.com/a/settings/p [2] Support sub-account/family profile] | The voice recording and device can be completely deleted |
| Authentication | Secure | [[1] Supports 2-Step Verification (TOTP/SMS) [2] https://www.amazon.com/a/settings/approval] | Not mandatory by default, manual activation required |
| Brute-force protection | Exist | [[1] Lockout for 15 minutes after 5 consecutive errors [2] https://developer.amazon.com/en-US/docs/alexa/alexa-voice-service/authentication.html] | exponentially backoff |
| Event logging | Partial logging | [[1] Alexa App → Activity → Voice History [2] JSON exportable] | Retain for 3 years (with automatic deletion option) |
| Passwords | Require change after setup with complexity requirements | [[1] During registration, it is mandatory to use a password that is ≥6 characters long and contains special characters [2] Prohibit repetition with the last 5 times] | Prompt for complexity during initial setup |
| Category score | 2 | ||
| Grade | C |
|---|
