Cybersecurity researchers have found that Amazon’s Alexa smart home devices had an exploitable security flaw that allowed access to the device, a user’s private data the ability for apps to be removed or installed remotely.
A report from Check Point Research found that attackers could use a specially crafted link that, should a user click it, would give the hacker access to the Alexa device.
Such a link could easily be hidden inside a benign-seeming email from Amazon along with harmless-looking links to Amazon products.
Once an attacker gained access to the device, they could perform actions including installing or removing apps (also called skills) on a user’s Alexa account without their knowledge and accessing a list of all installed skills on the user’s Alexa account, as well as getting a list of the user’s voice history along with their personal information.
Check Point found that the Alexa mobile application used an SSL pinning mechanism that prevents people from inspecting the app’s traffic. The researchers used a common SSL universal unpinning script to bypass the mechanism and view the traffic.
This revealed that the app used a misconfigured Cross-Origin Resource Sharing (CORS) policy, the method that allows the protected app to access outside and unprotected information.
This meant that attackers could use one Amazon subdomain to request information from another Amazon subdomain, such as a protected Amazon Alexa account.
- Employee mistakes cause almost half of cybersecurity issues
- Amazon faces lawsuits over Alexa child recordings
- Security experts struggling to combat new cloud threats
The cybersecurity researchers found that requesting a list of all the installed skills on the Alexa provided them with a sensitive piece of encryption data, the CSRF token. This is a unique, secret, unpredictable value that is used to prevent cross-site request forgery. Essentially, it functions like a password, with the Alexa domain checking to see that the outside domain is using the CSRF token when it requests information.
“We can use this CSRF token to perform actions on behalf of the victim, such as installing and enabling a new skill for the victim remotely,” the researchers noted.
As part of the attack, one common skill could be removed from Alexa and replaced with a skill that used the same phrase to activate it. Should the user try to use the old skill, the invocation phrase will trigger the new skill instead.
“As virtual assistants today serve as entry points to people’s homes appliances and device controllers, securing these points has become critical, with maintaining the user’s privacy being a top priority,” Check Point Research said in its report.
Check Point Research said that they reported these vulnerabilities to Amazon in June 2020, with Amazon subsequently fixing the issue.