[ad_1]
A number of vulnerabilities have been revealed in Amazon’s Alexa, highlighting the need for providers of smart home platforms, such as Apple’s HomeKit, to maintain security as part of the service.
The concept of a smart home is appealing, but the dream of ordering a virtual assistant to automate household chores becomes a nightmare once the security concerns arise. In the case of Amazon’s Alexa, which is central to many people’s smart home setup, vulnerabilities have been revealed that could allow an attacker to perform tasks and find out what a user has. said to Alexa.
The Check Point Security researchers report found that a number of Amazon and Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) and Cross Site Scripting (XSS) misconfiguration. Using XSS, an attacker could acquire a CSRF token that would give them access to elements of the smart home installation.
According to the researchers, this could include automatically installing Alexa skills without the user’s knowledge, acquiring a list of all installed skills, silently removing installed skills, acquiring history. voice of the victim with Alexa and even obtaining personal information.
This skill manipulation can allow a modified version of an existing skill to be installed and then used by the user, a version that could allow the attacker to perform actions or acquire more data from the skill. of the user. It might even be possible for an attacker to install a skill to eavesdrop on conversations near an Echo device.
It is claimed that successful exploitation of the vulnerabilities would be possible through a single click on an Amazon link by the victim.
Check Point responsibly disclosed the Amazon vulnerabilities in June 2020 and the issues were resolved.
“Internet of Things devices are inherently vulnerable and still lack adequate security, making them attractive targets for threat actors,” writes Check Point. “Cybercriminals are continually looking for new ways to hack devices or use them to infect other critical systems. This research presented a weak spot in what constitutes a bridge to such IoT devices. The bridge and the devices both serve as entry points. They need to be secure at all times to prevent hackers from infiltrating our smart homes. “
Amazon has courted controversy with the security and privacy concerns of its smart home platform in the past. In 2019, Amazon employees were found to listen to audio recordings from Echo devices to improve its accuracy, while later in the same year, researchers were able to add spy apps to the Echo stores. ‘apps for Alexa and Google Home, which enabled eavesdropping and phishing. .
Although Apple operates its own HomeKit smart home platform, the company strives to keep every element as secure as possible. This includes heavy use of encryption, as well as a long list of requirements and restrictions that every new HomeKit-enabled device must meet in order to function on the platform.
[ad_2]
Source link