You knew Alexa was listening, but if you have not updated the software this summer, some very dangerous threat actors could be listening too!
The recent compromise of Amazon Alexa revealed a number of terrifying vulnerabilities. A concerning number of Amazon and Alexa subdomains were vulnerable to attacks which leverage a Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting (XSS). According to researchers, the malicious actors fooled Amazon’s internal servers by launching a script which gave access to the Amazon smart home ecosystem, permitting them to install Alexa applications (which Amazon calls “skills”) without any indication to the user.
According to Checkpoint Research, the attack goes like this:
1: The user clicks on a malicious link that directs them to amazon.com where the attacker has code-injection capability.
2: The attacker sends a new Ajax request with the user’s cookies to amazon.com/app/secure/your-skills-page and gets a list of all installed skills on the Alexa account and the CSRF token in the response.
3: The attacker uses the CSRF token to remove one common skill from the list we received in the previous step.
4: Then, the attacker installs a skill with the same invocation phrase as the deleted skill.
5: Once the user tries to use the invocation phrase, they will trigger the attacker skill.
Amazon skill hacks can lead to a malicious actor obtaining a list of installed apps and the user’s voice history, search history and personal data - turning Alexa into a malicious monitoring and data-collection device. That data can be repurposed in order to generate more complex attacks against Alexa users. One example of the vulnerability is that, while most internet apps do not collect your unencrypted banking login information, a hacked Alexa device can. Attackers can gain access to the user’s interaction with the banking skill app and obtain the user's data history. From there, identities can be stolen, or banking information can be used to make fraudulent purchases.
But my Smart Freezer full of Lockdown Food is Good, Right?
No, not really! Another big problem is all of Alexa’s Smart Home and Virtual Assistant capabilities. With the ability to control everyday IoT devices, a malicious actor could theoretically control cameras, microphones, thermostat, refrigerators, lights, door locks and more! With that much power, malicious actors could steal and distribute private videos of victims on the internet and lobby threats of extortion. They could also remotely vandalize the home with extreme temperatures or even engage in a perfectly-timed physical home invasion with surgical precision. This is a big problem!
The vulnerability was discovered and patched in June, but the lack of adequate security monitoring and updates continues to make Alexa an attractive target to threat actors. While GoVanguard focuses primarily on large, institutional security, we thought this threat deserved to be pointed out so that consumers can be sure their Alexa units have been updated with the patch since about 200 million of them have been installed into homes, and that is a very big threat surface!
At GoVanguard, we engage in on-going training for our clients who are at risk of similar attacks. If your organization utilizes virtual assistants or IoT in the workplace, it is important to make sure that everything is properly secured. The most effective way to secure your organization is by empowering your entire staff to engage in secure behaviors, and keep them alert with frequent attack simulations of spearphishing and social engineering engagements. Bundled with a regimen of pentesting services, GoVanguard can help you achieve a world class level of security!
Contact us today.
