Researchers have just revealed defects in Amazon Alexa that might allow attackers to access personal data & install skills on Echo devices.
Vulnerabilities in Amazon’s Alexa virtual assistant platform could allow attackers to access users’ banking data history, or home addresses simply by persuading them to click a malicious link.
Subdomains
Check Point staff found several web-application issues on Amazon Alexa subdomains, including a cross-site scripting (XSS) flaw, & cross-origin resource sharing (CORS) misconfiguration.
An attacker could remotely exploit these vulnerabilities by sending a victim a specially designed Amazon link.
Securing
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” explained Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, in research published Thurs.
“Alexa has concerned us for a while now, given its ubiquity & connection to IoT devices. It is these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”
Researchers informed Amazon of findings in June 2020. Amazon fixed the security issues, & researchers then publicly disclosed the flaws on Thur.
The Flaws
Researchers tested the mobile application that connects to Alexa. After using a Frida SSL unpinning script to bypass the SSL pinning mechanism implemented for protecting the traffic, they were able to see traffic transmitted between the app & the Echo device in clear text.
They found that several requests made by the app had a misconfigured CORS policy. CORS is a method allowing resources on certain, allowed web pages to be requested outside the domain via XMLHttpRequest.
Bypassed
When misconfigured, this policy can be bypassed, so as to send requests from a domain controlled by the malicious player.
This misconfiguration could allow attackers to send specific Ajax requests from any other Amazon sub-domain. “This could potentially have allowed attackers with code-injection capabilities on one Amazon subdomain to perform a cross-domain attack on another Amazon subdomain,” commented researchers.
CSRF Token
It was then found that it is possible to chain together both this CORS misconfiguration & an XSS flaw in the app, allowing them to make a specific request to return a list of all the installed skills on Alexa. In response to this request, the app also sent back the CSRF token in the response.
A CSRF token is a unique, secret value generated by the server-side application & transmitted to the client via HTTP request. Access to this CSRF token can give potential attackers the means to then perform actions on behalf of the target.
Real-World Attack
In a real-world attack, a bad player would 1st convince an Alexa user to click on a malicious link, which then directs them to Amazon, where the attacker has code-injection capabilities. From there the attacker could get a list of the apps installed on Alexa, & the user’s token.
“The attack flow is trivial. I would not call it a sophisticated attack to carry, but the implication & the skills replacements make this attack seamless & sophisticated on the target side,” observed Oded Vanunu
Attackers then are able to install & enable new skills for the victim remotely. Skills are functionalities for Alexa, developed by 3rd-party vendors, which can be thought of as apps, such as weather programs & audio features. From there, they could silently install or remove skills on a user’s Alexa account, & retrieve a list of the previously installed skills on the account.
Voice History
They could also access a user’s voice history with Alexa, & get their personal information including banking data history, usernames, phone numbers & home address.
“Amazon does not record your banking login credentials, but your interactions are recorded, & since we have access to the chat history, we can access the victim’s interaction with the bank skill & get their data history,” suggested researchers.
“We can also get usernames & phone numbers, depending on the skills installed on the user’s Alexa account.”
Alexa, Google Home & other virtual assistants have been found to have serious security & privacy issues in recent years. During 2019, researchers revealed a new means to exploit Alexa & Google Home smart speakers to allow spying on their users.
Eavesdrop
In 2018 a proof-of-concept Amazon Echo Skill showed how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices, & automatically transcribe everything. Other privacy issues, such as allegations of Alexa secretly recording children & users have put the AI assistant under examination.
These incidents, & this most recent defect, highlight the need for Alexa users to be aware of how much data the voice assistant is collecting, commented Check Point’s Vanunu.
Entry Points
“Smart speakers & virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, & their role in controlling other smart devices in our homes,” Vanunu cautioned.
“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”