During routine tests, researchers at cyber security company Check Point found that through certain vulnerable Amazon Alexa subdomains, it is not just possible but actually fairly easy to hack into the AI personal assistant. (The vulnerabilities were reported to Amazon in June and have since been patched).
The researchers explained in a report released by the company that by using some publicly available tools, security researchers were capable of silently installing or removing apps from a user’s account, accessing the user’s entire voice history and all of their personal information: “As virtual assistants today serve as entry points to people’s homes appliances and device controllers” they explained: “Securing these points has become critical, with maintaining the user’s privacy being top priority.
“This was our “entry point” and central motivation while conducting this research”.
How Researchers Hacked Alexa
Researchers began their testing with the Alexa Mobile Application, and found that there was an SSL pinning mechanism implemented which prevented them from inspecting the traffic. However, by using a well-known Frida SSL universal unpinning script, they could bypass the SSL Pinning pretty quickly, and view the traffic in clear text.
While analysing the traffic, researchers found that several requests made by the app had misconfigured the CORS policy (a mechanism that gives secure access to another domain outside its own) which would allow the sending of Ajax requests from any other Amazon subdomain. This vulnerability opens the door to attackers with code-injection capabilities on one Amazon subdomain to perform a cross domain attack on another Amazon subdomain.
Read This:AWS Customers are Opting in to Sharing AI Data Sets with Amazon Outside their Chosen Regions and Many Didn’t Know
From this point the attacker is able to trigger an error response from the server. This response provides code that can be manipulated and used to trigger the Ajax request back to Amazon for the victim’s credentials. This is where it gets interesting.
The Ajax request sends cookies to skills-store.amazon.com and steals the csrf token, a line of complex code generated for a page you want to protect. Armed with the code the threat actor can perform a CSRF attack and silently install a skill to the victim’s Alexa account. From here the attacker can gain access to pretty much anything connected to the victim’s Alexa. Through access to things like chat history, it can be easy to get hold of banking credentials and other sensitive data. Home addresses and other valuable information will also feature prominently on a chat history.
There is a small window in which to act, however, as Amazon conducts security reviews as part of skill certification and continually monitors live skills for potentially malicious behaviour. Any offending skills that are blocked during certification or quickly deactivated.
“Virtual assistants are used in Smart Homes to control everyday IoT devices such as lights, A/C, vacuum cleaners, electricity and entertainment” the report notes.
“They grew in popularity in the past decade to play a role in our daily lives, and it seems as technology evolves, they will become more pervasive.
“IoT devices are inherently vulnerable and still lack adequate security, which makes them attractive targets to threat actors. Cybercriminals are continually looking for new ways to breach devices, or use them to infect other critical systems”.