Alexa errors reveal personal information |
Due to security holes in the service subdomain, Amazon's Alexa voice assistant can be used to transfer user data.
The smart assistants in devices like the Amazon Echo and Echo Dot are vulnerable to attackers looking for user identification information (PII) and audio recordings.
According to Check Point, the security issues are caused by Amazon Alexa subdomains, which are vulnerable to CORS (cross-asset sharing) and XSS (cross-site scripting) attacks.
Check Point researchers identified the vulnerability by running tests on the Amazon Voice Assistant app and found that many of the requests the app placed had an incorrectly defined policy that requests could be sent to from any subdomain of Amazon.
In this way, an attacker with code injection jobs in one subdomain can perform cross-domain attacks on another subdomain of Amazon.
As proof of concept, the researchers used a vulnerability in the Amazon subdomain to exploit incorrectly configured cookies and a strategy to adapt the Alexa account.
They have designed a link that redirects the bogus victim to (track.amazon.com), through which the researcher can send a request containing the victim's "cookie" to the website address offering to install on the website the victim's Alexa account. List of audio applications.
Then the researcher uses the token to remove the public app from the list and installs a malicious app for the deleted app using the same alert phrase.
This way, the victim, using the alert phrase, mistakenly executes the attacker's malicious app.
During testing, Check Point discovered that phone numbers, home addresses, usernames, and bank details could be stolen.
Amazon doesn't record bank credentials, it does record user interactions, but Alexa quickly gets banking information from records.
An Amazon spokesperson said in a statement: The security of our devices is a top priority and we appreciate the work of independent researchers like Check Point who have indicated potential issues to us.
He added, "After drawing our attention, we have fixed this problem and will continue to strengthen our system. We have not found any use of this vulnerability or disclosure of customer information to our clients."
In a blog post, the researchers wrote: Virtual Assistants are used in smart homes to control everyday IoT devices such as lamps, air conditioners, vacuum cleaners, and entertainment devices. Its popularity has increased over the years. The past ten years. It plays an important role in our daily life and seems to be becoming more and more common with the development of technology. .
They added, "As virtual assistants become the entry point for controls and personal devices in home devices, protecting these points is vital while user privacy is paramount."
A study by researchers from Clemson University's School of Computer Science found that the Amazon Alexa app and Google Assistant privacy policy often run into issues and violate basic requirements.