A number of vulnerabilities have been revealed in Amazon’s Alexa, highlighting the need for smart home platform providers, such as Apple’s HomeKit, to maintain security as part of the service.
The concept of a smart home is appealing, but the dream of ordering a virtual assistant to automate household chores becomes a nightmare once security issues surface. In the case of Amazon’s Alexa, which is at the heart of many people’s smart setup, vulnerabilities have been revealed that could allow an attacker to perform tasks and find out what a user told Alexa.
The report by Check Point Security researchers found that a number of Amazon and Alexa subdomains were vulnerable to a misconfiguration of Cross-Origin Resource Sharing (CORS) and Cross Site Scripting (XSS). Using XSS, an attacker could purchase a CSRF token that would allow them to access smart home installation elements.
According to the researchers, these could include automatically installing Alexa skills without the user’s knowledge, getting a list of all installed skills, silently removing installed skills, getting the victim’s voice history from Alexa, and even obtain personal information.
This skill manipulation can allow a modified version of an existing skill to be installed and then used by the user, one allowing actions to be performed by the attacker, or for further purchase of user data. It could even be for an attacker to install a skill to pull off in conversations near an Echo device.
It is claimed that a successful exploitation of the vulnerability would be possible through a single click on Amazon link by the victim.
Check Point publicly disclosed the vulnerabilities to Amazon in June 2020, and the issues are fixed.
“Internet of Things devices are inherently vulnerable and still lack adequate security, making them attractive targets for actors to threaten,” writes Check Point. “Cybercriminals are constantly looking for new ways to break devices, or use them to infect other critical systems. This research presented a weak point in what constitutes a bridge for such IoT devices. Both the bridge and the devices serve as entry points. They must always be kept secure to prevent hackers from infiltrating our bad homes. ”
Amazon has been embroiled in controversy in the past with the security and privacy issues of its smart home platform. In 2019, Amazon employees were found to be listening to audio recordings of Echo devices to improve accuracy, while later that year, researchers were able to add spies to app stores for Alexa and Google Home that could enable and prevent phishing.
While Apple operates its own HomeKit smart home platform, the company works to keep each element as secure as possible. This includes extensive use of encryption, as well as a long list of requirements and restrictions that every new HomeKit compliant device must follow in order to function on the platform.
.