New Amazon Alexa Vulnerability Found

[zeusthemoose]

Summary

  A report by Check Point Research came out today describing a vulnerability in Amazon's smart home assistant Alexa. The vulnerability was shared with Amazon in June of this year and has since been fixed (why the report was just published).

  The vulnerability gave hackers the ability to add or remove skills, get a list of the added skills, get the user's voice history, and get the user's personal information. All that was required was having the user click on a link sent by the hacker. They would then be able to do everything listed above. The most significant of which are access to victims voice history which could have sensitive information like banking info in there and to see all the information on the user's profile including address, email, and phone number.

 

Quotes

Quote

Introduction & Motivation

“Please lower the temperature of the AC, it’s getting humid in here,” said Eric to Alexa, who turned the AC to a cooler temperature in the living room.

No, Alexa is not Eric’s partner, wife or friend. Alexa is his virtual assistant and this scenario which would have been considered somewhat futuristic a decade ago is today part of a multi-billion market, expected to reach over 15 billion by 2025.

At the end of 2020, it was reported that over 200 million Alexa-powered devices had been sold by the end of the year.

An intelligent virtual assistant (IVA) or intelligent personal assistant (IPA) is a software agent that can perform tasks or services for an individual based on commands or questions. Amazon Alexa, commonly known as “Alexa” is an AI based virtual assistant developed by Amazon, capable of voice interaction, music playback, setting alarms and other tasks, including controlling smart devices as part of a home automation system. Users are able to extend Alexa s capabilities by installing “skills” – additional functionality developed by third-party vendors which can be thought of as apps – such as weather programs and audio features.

As virtual assistants today serve as entry points to people’s homes appliances and device controllers, securing these points has become critical, with maintaining the user’s privacy being top priority. This was our “entry point” and central motivation while conducting this research.

Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.

These vulnerabilities would have allowed an attacker to:

• Silently install skills (apps) on a user’s Alexa account
• Get a list of all installed skills on the user’s Alexa account
• Silently remove an installed skill
• Get the victim’s voice history with their Alexa
• Get the victim’s personal information

In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.

Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.

(Check Point Research Report)

 

Quote

Attack Flow

The attack can be carried in a few different ways. We will describe here an example of how an attacker can perform actions on the user’s Alexa.

1. The user clicks on a malicious link that directs them to amazon.com where the attacker has code-injection capability.
2. The attacker sends a new Ajax request with the user’s cookies to amazon.com/app/secure/your-skills-page and gets a list of all installed skills on the Alexa account and the CSRF token in the response.
3. The attacker uses the CSRF token to remove one common skill form the list we received in the previous step.
4. Then, the attacker installs a skill with the same invocation phrase as the deleted skill.
5. Once the user tries to use the invocation phrase, they will trigger the attacker skill.

 

Attack Capabilities

Get Skill List

The following request could have allowed the attacker to view the entire skill list of the victim’s account. This information can be used later to replace one of the victim’s skills with a published skill that the attacker chooses from the skills store.

 

Silently Remove an Installed Skill

The following request allows the attacker to remove a skill from the victim’s account. The skill we removed is one of the skills in the list we received in the previous API request.

 

Get Victim’s Voice History with Alexa

The following request could have allowed the attacker to get the victim’s voice history with Alexa. The attacker could view the voice command history and Alexa’s response to them. This could lead to exposure of personal information, such as banking data history.

 

Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history. We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.

 

Personal Victim’s Information

The following request can be used to get personal information on the user, such as, home address and other information the user has in their profile.

 

Conclusion

Virtual assistants are used in Smart Homes to control everyday IoT devices such as lights, A/C, vacuum cleaners, electricity and entertainment.

They grew in popularity in the past decade to play a role in our daily lives, and it seems as technology evolves, they will become more pervasive.

This makes virtual assistants an attractive target for attackers looking to steal private and sensitive information, or to disrupt an individual’s smart home environment.

IoT devices are inherently vulnerable and still lack adequate security, which makes them attractive targets to threat actors. Cybercriminals are continually looking for new ways to breach devices, or use them to infect other critical systems. This research presented a weak point in what is a bridge to such IoT appliances. Both the bridge and the devices serve as entry points. They must be kept secured at all times to keep hackers from infiltrating our smart homes.

 

*Images (following requests) have been removed for formating. If you would like to see them, please go to the first source

(Check Point Research Report)

 

My thoughts

 I'm glad this was found by a research company and not after being used by a hacker. This is why we dont click on random links people! Good thing Amazon was able to fix this in just a few months and not a few years, leaving it open and leaving users at risk.

 

Sources

 Check Point Research Report

 cnet

[Haro]

welp, brb going to throw my echo dot out of the window.

[Quinnell]

I really should just dispose of my smart devices.  The logical part of me really wants to.  The "hurr hurr convenience!" part of me strongly disagrees.

[TetraSky]

Another reason to not trust these always connected, always listening, "smart" devices. But people will still use them. Because just like Quinnell said :

4 minutes ago, Quinnell said:

"hurrr hurr convenience!"

 

[wall03]

5 minutes ago, Quinnell said:

I really should just dispose of my smart devices.  The logical part of me really wants to.  The not-so-logical part of me strongly disagrees.

I own a dot and use it only for timers, alarms, reminders, and a speaker when I don't want the distractions of a PC. Alexa is always on microphone mute unless I want to set a timer or play music.

 

I still should dispose of it.

[Helpful Tech Witch]

Ha Ha. Hacker go burr!

[AngryBeaver]

34 minutes ago, zeusthemoose said:

Then, the attacker installs a skill with the same invocation phrase as the deleted skill.

This should have been something that microsoft could have been doing a better job of scanning for. If they were doing a better job at auditing the skills that could be used then this attack would have been impossible. Outside of that they would have just had access similar to any other phishing compromise.

[Trik'Stari]

It's almost as if IoT is a fucking terrible idea, always has been, and always will be.

 

Big brain time?

[Maticks]

i love my IoT to not have a microphone or camera. if it wants to be on the internet without those things. sure...