Home>Blog>The Hacker News Headlines>Amazon Alexa Bugs Could’ve Let Hackers Install Malicious Skills Remotely
The Hacker News Headlines

Amazon Alexa Bugs Could’ve Let Hackers Install Malicious Skills Remotely

imageimage

Attention! If you use Amazon’s voice assistant Alexa in you
smart speakers, just opening an innocent-looking web-link could let
attackers install hacking skills on it and spy on your activities
remotely.

Check Point cybersecurity researchers—Dikla Barda, Roman Zaikin
and Yaara Shriki—today disclosed severe security vulnerabilities in
Amazon’s Alexa virtual assistant that could render it vulnerable to
a number of malicious attacks.

cybersecurity

According to a new report
released by Check Point Research and shared with The Hacker News,
the “exploits could have allowed an attacker to remove/install
skills on the targeted victim’s Alexa account, access their voice
history and acquire personal information through skill interaction
when the user invokes the installed skill.”

“Smart speakers and virtual assistants are so commonplace that
it’s easy to overlook just how much personal data they hold, and
their role in controlling other smart devices in our homes,” Oded
Vanunu, head of product vulnerabilities research, said.

“But hackers see them as entry points into peoples’ lives,
giving them the opportunity to access data, eavesdrop on
conversations or conduct other malicious actions without the owner
being aware,” he added.

Amazon patched the vulnerabilities after the researchers disclosed
their findings to the company in June 2020.

An XSS Flaw in One of Amazon’s Subdomains

Check Point said the flaws stemmed from a misconfigured CORS policy in
Amazon’s Alexa mobile application, thus potentially allowing
adversaries with code-injection capabilities on one Amazon
subdomain to perform a cross-domain attack on another Amazon
subdomain.

Put differently, successful exploitation would have required
just one click on an Amazon link that has been specially crafted by
the attacker to direct users to an Amazon subdomain that’s
vulnerable to XSS attacks.

In addition, the researchers found that a request to retrieve a
list of all the installed skills on the Alexa device also returns a
CSRF token in the response.

The primary purpose of a CSRF toke[3]n is to prevent
Cross-Site Request Forgery attacks in which a malicious link or
program causes an authenticated user’s web browser to perform an
unwanted action on a legitimate website.

This happens because the site cannot differentiate between
legitimate requests and forged requests.

But with the token in possession, a bad actor can create valid
requests to the backend server and perform actions on the victim’s
behalf, such as installing and enabling a new skill for the victim
remotely.

In short, the attack works by prompting the user to click on a
malicious link that navigates to an Amazon subdomain
(“track.amazon.com”) with an XSS flaw that can be exploited to
achieve code-injection.

amazon alexa hacking skillsamazon alexa hacking skills

The attacker then uses it to trigger a request to
“skillsstore.amazon.com” subdomain with the victim’s credentials to
get a list of all installed skills on the Alexa account and the
CSRF token.

In the final stage, the exploit captures the CSRF token from the
response and uses it to install a skill with a specific skill
ID[4] on the target’s Alexa
account, stealthily remove an installed skill, get the victim’s
voice command history, and even access the personal information
stored in the user’s profile.

The Need for IoT Security

With the global smart speaker
market size projected to reach $15.6 billion by 2025, the
research is another reason why security is crucial in the IoT
space.

As virtual assistants become more pervasive, they are
increasingly turning out to be lucrative targets for attackers
looking to steal sensitive information and disrupt smart home
systems.

“IoT devices are inherently vulnerable and still lack adequate
security, which makes them attractive targets to threat actors,”
the researchers concluded.

“Cybercriminals are continually looking for new ways to breach
devices, or use them to infect other critical systems. Both the
bridge and the devices serve as entry points. They must be kept
secured at all times to keep hackers from infiltrating our smart
homes.”

“The security of our devices is a top priority, and we
appreciate the work of independent researchers like Check Point who
bring potential issues to us. We fixed this issue soon after it was
brought to our attention, and we continue to further strengthen our
systems,” an Amazon spokesperson told The Hacker News via email.
“We are not aware of any cases of this vulnerability being used
against our customers or of any customer information being
exposed.”

[1][2][5]

References

  1. ^
    new report
    (research.checkpoint.com)
  2. ^
    CORS policy
    (developer.mozilla.org)
  3. ^
    CSRF toke
    (owasp.org)
  4. ^
    specific skill ID
    (developer.amazon.com)
  5. ^
    smart speaker market
    (www.marketsandmarkets.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.