smart speakers, just opening an innocent-looking web-link could let
attackers install hacking skills on it and spy on your activities
remotely.
Cybersecurity researchers today disclosed severe security
vulnerabilities in Amazon’s Alexa virtual assistant that could
render it vulnerable to a number of malicious attacks.
with The Hacker News, the “exploits could have allowed an attacker
to remove/install skills on the targeted victim’s Alexa account,
access their voice history and acquire personal information through
skill interaction when the user invokes the installed skill.”
“Smart speakers and virtual assistants are so commonplace that
it’s easy to overlook just how much personal data they hold, and
their role in controlling other smart devices in our homes,” Oded
Vanunu, head of product vulnerabilities research, said.
“But hackers see them as entry points into peoples’ lives,
giving them the opportunity to access data, eavesdrop on
conversations or conduct other malicious actions without the owner
being aware,” he added.
Amazon patched the vulnerabilities after the researchers disclosed
their findings to the company in June 2020.
An XSS Flaw in One of Amazon’s Subdomains
Check Point said the flaws stemmed from a misconfigured CORS policy in
Amazon’s Alexa mobile application, thus potentially allowing
adversaries with code-injection capabilities on one Amazon
subdomain to perform a cross-domain attack on another Amazon
subdomain.
Put differently, successful exploitation would have required
just one click on an Amazon link that has been specially crafted by
the attacker to direct users to an Amazon subdomain that’s
vulnerable to XSS attacks.
In addition, the researchers found that a request to retrieve a
list of all the installed skills on the Alexa device also returns a
CSRF token in the response.
The primary purpose of a CSRF toke[2]n is to prevent
Cross-Site Request Forgery attacks in which a malicious link or
program causes an authenticated user’s web browser to perform an
unwanted action on a legitimate website.
This happens because the site cannot differentiate between
legitimate requests and forged requests.
But with the token in possession, a bad actor can create valid
requests to the backend server and perform actions on the victim’s
behalf, such as installing and enabling a new skill for the victim
remotely.
In short, the attack works by prompting the user to click on a
malicious link that navigates to an Amazon subdomain
(“track.amazon.com”) with an XSS flaw that can be exploited to
achieve code-injection.
“skillsstore.amazon.com” subdomain with the victim’s credentials to
get a list of all installed skills on the Alexa account and the
CSRF token.
In the final stage, the exploit captures the CSRF token from the
response and uses it to install a skill with a specific skill
ID[3] on the target’s Alexa
account, stealthily remove an installed skill, get the victim’s
voice command history, and even access the personal information
stored in the user’s profile.
The Need for IoT Security
With the global smart speaker
market size projected to reach $15.6 billion by 2025, the
research is another reason why security is crucial in the IoT
space.
As virtual assistants become more pervasive, they are
increasingly turning out to be lucrative targets for attackers
looking to steal sensitive information and disrupt smart home
systems.
“IoT devices are inherently vulnerable and still lack adequate
security, which makes them attractive targets to threat actors,”
the researchers concluded.
“Cybercriminals are continually looking for new ways to breach
devices, or use them to infect other critical systems. Both the
bridge and the devices serve as entry points. They must be kept
secured at all times to keep hackers from infiltrating our smart
homes.”
References
- ^
CORS policy
(developer.mozilla.org) - ^
CSRF toke
(owasp.org) - ^
specific skill ID
(developer.amazon.com) - ^
smart speaker market
(www.marketsandmarkets.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/FJ7V4ZqqfQA/amazon-alexa-hacking-skills.html