In June this year, researchers from Check Point discovered a number of dangerous vulnerabilities that were opened for attacks by the virtual assistant Amazon Alexa and its users.
The problems were CORS and XSS bugs, as well as configuration issues, and they affected several Amazon subdomains. By exploiting these bugs, attackers could gain access to personal data (usernames, phone numbers, home addresses, voice history) and perform various actions on behalf of victims (for example, delete and install Alexa skills).
"It only took one click on a link specially created by an attacker to successfully exploit (the problems)," the researchers write.
For the attack to succeed, the attacker really needed to create a malicious link that directed the user to amazon.com and send it to the victim (somehow forcing the user to click on it). The researchers suggested using the vulnerable track.amazon.com for these purposes – this page is not associated with Alexa, but is used to track parcels from Amazon, and previously it could have been injected with malicious code.
The attacker then sent an Ajax request with the user's cookies received to amazon.com/app/secure/your-skills-page, which allowed him to get a list of the skills installed for this Alexa account.
The response to such a request also contained a CSRF token, which an attacker could use to remove one skill from the list. The attacker could then install his own malicious Alexa skill on the device in the same way. Replacing a remote skill with your own opened up many opportunities for the criminal, depending on the skills installed on the user's device. For example, it was possible to access the victim's voice history, and then to usernames, phone numbers, home addresses, banking data (Alexa does not record banking login credentials, but records other interactions).
“Smart speakers and virtual assistants seem so unremarkable that, at times, we lose sight of their role in managing a smart home, as well as how much personal data they store. For this reason, hackers see these applications as entry points into people's lives, through which they can access personal data, eavesdrop on conversations and perform other malicious actions without the user's knowledge, says Oded Vanunu, head of vulnerability research. Check Point Software Technologies. “The goal of our research is to highlight the need for security for devices like Alexa. Fortunately, Amazon specialists quickly fixed vulnerabilities in the Amazon / Alexa subdomains. We hope that manufacturers of such devices will follow Amazon's example and test their products for vulnerabilities that could potentially compromise user privacy. ”
Currently, Amazon engineers have already patched all discovered vulnerabilities. The company also said that they were not aware of any use of these problems or the disclosure of any information about customers.