Amazon’s Alexa voice assistant could be used to transfer user data due to security vulnerabilities in the service’s subdomains.
The smart assistant, found in devices such as the Amazon Echo and Echo Dot – with more than 200 million shipments worldwide – was vulnerable to attackers looking for personally identifiable information (PII) and voice recordings.
Check Point Research said on Thursday that the security issues were caused by Amazon Alexa subdomains that are sensitive to Cross-Origin Resource Sharing (CORS) traffic configuration and cross-site scripting (XSS) attacks.
When Check Point first began investigating with the Alexa app, the company noticed the existence of an SSL mechanism that prevents traffic inspection. However, the script used could be transmitted using the Frida SSL universal unpinning script.
See also: Amazon’s Q2: $ 4 billion spent on COVID-19 and net $ 5.2 billion still
This led to the discovery of the app’s incorrect configuration of CORS policy, which led to Ajax requests being sent from Amazon subdomains.
If a subdomain was found to be vulnerable to code injection, an XSS attack could be launched, which was carried out through track.amazon.com and skillsstore.amazon.com.
According to Check Point, it would take a victim to click on a malicious link to exploit the vulnerabilities. A victim who has been phishing through a domain, for example, could be subject to code injection and the theft of their Amazon-related cookies.
An attacker would then use these cookies to send an Ajax request to the Amazon Skill Store, whose request would return a list of all skills installed in the victim’s Amazon Alexa account.
By launching an XSS attack, researchers were also able to obtain CSRF tokens and, therefore, perform actions while disguising themselves as the victim. This can include removing or installing Alexa skills, and by using the CSRF token to remove a skill and then install a new one with the same evocation feature, this can “trigger an attacker skill”, the team says.
If a victim unknowingly triggers this new skill, it may be possible for attackers to access voice history records, as well as skill abuse interactions to retrieve personal information.
CNET: How China uses face recognition to control human behavior
During tests, Check Point found phone numbers, home addresses, usernames and history of bank details could theoretically be stolen.
“Amazon does not record your bank credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank’s skills and their data history,” says the team. “We can also get usernames and phone numbers, depending on the skill installed on the user’s Alexa account.”
However, Alexa does bank information spectacularly in history and logs.
Check Point also provided proof-of-concept (PoC) code.
Abuse of skill is an interesting form of attack and a potential way for cyberattackers to enter our homes – although the time window before malicious skills are detected and removed may be short.
TechRepublic: How companies are getting employees to take vacations this summer instead of PTO
“It’s important to note that Amazon does security reviews as part of skill certification, and continuously checks live for potentially malicious behavior,” the researchers say. “Any offensive skills that are identified will be blocked upon certification or disabled soon.”
Check Point investigators unequivocally disclosed their findings to Amazon in June, and the security issues have now been patched.
“We conducted this research to highlight how securing these devices is critical to maintaining the privacy of users,” commented Oded Vanunu, Head of Products Vulnerabilities Research at Check Point. “Fortunately, Amazon responded quickly to our revelation to close these vulnerabilities on certain Amazon / Alexa sub / domains. We hope similar device manufacturers follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy. endanger. ”
“The safety of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who are bringing potential issues to us,” an Amazon spokesman told ZDNet. “We have fixed this issue soon after it came to our attention, and we continue to strengthen our systems. We are not aware that cases of this vulnerability will be used against our customers or of any customer information that is exposed.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal on +447713 025 499, or more on Keybase: charlie0
