UPDATE
Vulnerabilities in Amazon’s Alexa virtual assistant platform could allow attackers to access users’ personal information, like home addresses – simply by persuading them to click on a malicious link.
Researchers with Check Point found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting (XSS) flaw and cross-origin resource sharing (CORS) misconfiguration. An attacker could remotely exploit these vulnerabilities by sending a victim a specially crafted Amazon link.
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” said Oded Vanunu, head of products vulnerabilities research at Check Point, in research published Thursday. “Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”
Researchers disclosed their research findings to Amazon in June 2020. Amazon fixed the security issues, and researchers publicly disclosed the flaws on Thursday.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” an Amazon spokesperson told Threatpost. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
The Flaws
Researchers tested the mobile application that connects to Alexa. After using a Frida SSL unpinning script to bypass the SSL pinning mechanism implemented for protecting the traffic, they were able to view traffic transmitted between the app and the Echo device in clear text.
From there, they discovered that several requests made by the app had a misconfigured CORS policy. CORS is a method allowing resources on certain, allowed web pages to be requested outside the domain via XMLHttpRequest. But when misconfigured, this policy can be bypassed in order to send requests from a domain controlled by a malicious party.
This misconfiguration could allow attackers to send specific Ajax requests from any other Amazon sub-domain. “This could potentially have allowed attackers with code-injection capabilities on one Amazon subdomain to perform a cross-domain attack on another Amazon subdomain,” said researchers.
Researchers then found that it is possible to chain together both this CORS misconfiguration and an XSS flaw in the app, allowing them to make a specific request to return a list of all the installed skills on Alexa. In response to this request, the app also sent back the CSRF token in the response. A CSRF token is a unique, secret value generated by the server-side application and transmitted to the client via HTTP request. Access to this CSRF token can give potential attackers the ability to then perform actions on behalf of the victim.
Real-World Attack
In a real-world attack, a bad actor would first convince an Alexa user to click on a malicious link, which then directs them to Amazon where the attacker has code-injection capabilities. From there the attacker could get a list of the apps installed on Alexa and the user’s token.
“The attack flow is trivial. I would not call it a sophisticated attack to carry, but the implication and the skills replacements make this attack seamless and sophisticated on the target side,” Vanunu told Threatpost.
Attackers then are able to install and enable new skills for the victim remotely. Skills are functionalities for Alexa, developed by third-party vendors, which can be thought of as apps – such as weather programs and audio features. From there, they could silently install or remove skills on a user’s Alexa account and retrieve a list of the previously installed skills on the account (See video below for a proof of concept demo).
More seriously, researchers speculate that attackers could also access a user’s voice history with Alexa and get their personal information – including their banking data history, usernames, phone numbers and home address.
“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” said researchers. “We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.”
Alexa, Google Home and other virtual assistants have been found to have serious security and privacy issues over the years. In 2019, researchers disclosed a new way to exploit Alexa and Google Home smart speakers to spy on users. In 2018 a proof-of-concept Amazon Echo Skill showed how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices – and automatically transcribe every word said. Other privacy issues – such as allegations of Alexa secretly recording children and users – have put the AI assistant in the spotlight.
These incidents – and this most recent flaw – highlight the need for Alexa users to remember just how much data the voice assistant is collecting, said Check Point’s Vanunu.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Vanunu said. “But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”
This post was updated on Aug. 17 at 2pm ET with a statement from Amazon.
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.