Cybersecurity researchers revealed a severe security bug in Amazon’s Alexa virtual assistant that makes it vulnerable to a number of malicious attacks.
According to a report by Check Point Research, exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and collect personal information through skill interaction when the user invokes the installed skill.
Oded Vanunu, head of product vulnerabilities research stated that as smart speakers and virtual assistants are found everywhere, it is easy to miss just how much personal data they hold, and their role in controlling other smart devices in our homes.
The But hackers consider such devices as entry points into peoples’ lives to access data, eavesdrop on conversations or perform other malicious actions without the knowledge of the owner.
Check Point stated that the flaws originated from a misconfigured CORS policy in Amazon’s Alexa mobile application, permitting allowing adversaries with code-injection capabilities on one Amazon subdomain to perform a cross-domain attack on another Amazon subdomain.
In other words, on successful exploitation, a single click on an Amazon link specially crafted by the attacker can direct users to an Amazon subdomain that’s vulnerable to XSS attacks.
The researchers also found that a request to retrieve a list of all the installed skills on the Alexa device also returns a CSRF token in the response.
The main aim of a CSRF token is to prevent Cross-Site Request Forgery attacks in which a malicious link or program causes an authenticated user’s web browser to perform an unwanted action on a legitimate website. This is because a site cannot differentiate between legitimate requests and forged requests.
But it is possible for a threat actor to create valid requests to the backend server and perform actions on the victim’s behalf, such as installing and enabling a new skill for the victim remotely.
The attacker then uses it to trigger a request to “skillsstore.amazon.com” subdomain with the victim’s credentials to get a list of all installed skills on the Alexa account and the CSRF token.
In the final stage, the exploit captures the CSRF token from the response and uses it to install a skill with a specific skill ID on the target’s Alexa account, stealthily remove an installed skill, get the victim’s voice command history, and even access the personal information stored in the user’s profile.
IoT devices are inherently vulnerable and still lack adequate security, making it a best target to threat actors.
The vulnerabilities were patched by Amazon in June 2020, when the researchers disclosed their findings to them.