Amazon's Alexa voice assistant could be exploited to hand over user data due to security vulnerabilities in the service's subdomains.
The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot -- with over 200 million shipments worldwide -- was vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings.
Check Point Research said on Thursday that the security issues were caused by Amazon Alexa subdomains susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks.
When Check Point first began examining the Alexa mobile app, the company noticed the existence of an SSL mechanism that prevents traffic inspection. However, the script used could be bypassed using the Frida SSL universal unpinning script.
This led to the discovery of the app's misconfiguration of CORS policy, which allowed Ajax requests to be sent from Amazon subdomains.
If a subdomain was found as vulnerable to code injection, an XSS attack could be launched, and this was performed via track.amazon.com and skillsstore.amazon.com.
According to Check Point, it would only take a victim to click on a malicious link to exploit the vulnerabilities. A victim routed to a domain via phishing, for example, could be subject to code injection and the theft of their Amazon-related cookies.
An attacker would then use these cookies to send an Ajax request to the Amazon skill store, of which the request would send back a list of all skills installed in the victim's Amazon Alexa account.
By launching an XSS attack, researchers were also able to acquire CSRF tokens and, therefore, perform actions while masquerading as the victim. This could include removing or installing Alexa skills, and by using the CSRF token to remove a skill and then installing a new one with the same evocation phrase, this could "trigger an attacker skill," the team says.
Should a victim trigger this new skill unwittingly, it may be possible for attackers to access voice history records, as well as abuse skill interactions to harvest personal information.
During tests, Check Point found phone numbers, home addresses, usernames, and banking data history could theoretically be stolen.
"Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim's interaction with the bank skill and get their data history," the team says. "We can also get usernames and phone numbers, depending on the skills installed on the user's Alexa account."
However, Alexa does redact banking information speficially in histories and logs.
Check Point also provided proof-of-concept (PoC) code.
Skill abuse is an interesting form of attack and a potential way for cyberattackers to enter our homes -- although the time window before malicious skills are spotted and removed may be short.
"It's important to note that Amazon conducts security reviews as part of skill certification, and continually monitors live skills for potentially malicious behavior," the researchers say. "Any offending skills that are identified are blocked during certification or quickly deactivated."
Check Point researchers disclosed their findings privately to Amazon in June, and the security issues have now been patched.
"We conducted this research to highlight how securing these devices is critical to maintaining users' privacy," commented Oded Vanunu, Check Point's Head of Products Vulnerabilities Research. "Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon's example and check their products for vulnerabilities that could compromise users' privacy."
"The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," an Amazon spokesperson told ZDNet. "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."
Previous and related coverage
- Amazon the disrupter enters low-code market; doesn't disrupt anything
- This E Ink prototype shows e-readers could soon join the foldable smartphone pack
- The ultimate in working from home: Amazon's engineers are building robots in their garages
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0