IoT (Internet of Things) devices always raise concern over security and smart home appliances are the ones that more often get exploited by the cyber attackers. In many cases, we have seen IoT devices are inherently vulnerable and still lack adequate security. In the latest finding by cybersecurity firm Check Point researchers have found security vulnerabilities in Amazon/Alexa subdomains. According to the researchers, hackers can take advantage of this vulnerability to remove or install skills on the targeted user’s account and access personal data.
The research claims that the attack can be triggered via a single click on a malicious link designed by the attacker and voice interaction by the victim.
With over 200 million sold globally, Alexa is capable of voice interaction, setting alerts, music playback, and controlling smart devices in a home automation system. Users can extend Alexa’s capabilities by installing ‘skills.’ which are voice-driven apps. However, the personal information stored in users’ Alexa accounts and the device’s use as a home automation controller makes them an attractive target for hackers.
“The personal information stored in users’ Alexa accounts and the device’s use as a home automation controller makes them an attractive target for hackers,” said Check Point in a statement.
These vulnerabilities would have allowed an attacker to:
- Silently install skills (apps) on a user’s Alexa account
- Get a list of all installed skills on the user’s Alexa account
- Silently remove an installed skill
- Get the victim’s voice history with their Alexa
- Get the victim’s personal information
In simple terms, if you are clicking the malicious link, the attacker will be able to access your personal information and important data which include banking data, usernames, and home address. Cyber attackers can also extract your voice history.
Do note that Amazon never records your banking login credentials, but your interactions are recorded, and attackers can access that chat history and your interaction with the bank skill will get your details out.
How an attacker can perform actions on the user’s Alexa.
- The user clicks on a malicious link that directs them to track.amazon.com where the attacker has code-injection capability.
- The attacker sends a new Ajax request with the user’s cookies to skillsstore.amazon.com/app/secure/your-skills-page and gets a list of all installed skills on the Alexa account and the CSRF token in the response.
- The attacker uses the CSRF token to remove one common skill from the list we received in the previous step.
- Then, the attacker installs a skill with the same invocation phrase as the deleted skill.
- Once the user tries to use the invocation phrase, they will trigger the attacker skill.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into people’s lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” said Oded Vanunu, Head of Products Vulnerabilities Research atCheck Point.
“We conducted this research to highlight how securing these devices are critical to maintaining users’ privacy. Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains,” he added further.
Cybercriminals are on look for easier and new ways to breach devices and smart home appliances are the soft targets that they can use to infect other critical systems. To keep your devices and data safe from the attacker update them as soon the new firmware update arrives. Also, make sure that you are not clicking some random link even though it says that the email of text is from the official site. Attackers often replicate an identical mail that might confuse you, but if you take a closer look at the link you will get to know the difference.