One Malicious Link Unlocks Alexa's Voice HistoryAmazon Has Patched the Issues, Says Demo Video Is Misleading
Researchers at the security firm Check Point developed a one-click attack against Amazon’s popular voice-controlled assistant Alexa that could have revealed a user’s voice history or personal information.
Check Point says its research highlights “a weak point in what is a bridge to such IoT appliances,” a reference to the web application security issues it found. Amazon fixed the issues after it was notified in June.
“We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems,” Amazon says. “We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
Amazon took issue with some parts of Check Point’s video demonstration, contending it was misleading. But Check Point says the findings show that “IoT devices are inherently vulnerable and still lack adequate security, which makes them attractive targets to threat actors.” (See: Hey Alexa. Is This My Voice Or a Recording?)
User Interaction Required
The attack requires a user to click on a malicious link, which is a barrier – albeit often a low one – to a successful attack. But the way in which the malicious link appears makes it unlikely that someone would suspect an ambush because it comes from one of Amazon’s own domains.
Check Point examined Alexa’s mobile application. Because Amazon uses certificate pinning to ensure the app only communicates with the authorized domain, Check Point used the Frida tool, which can bypass certificate pinning and allow inspection of plain-text traffic.
The security firm discovered that Amazon had made errors setting the Cross-Origin Resource Sharing policy, which determines what resources web applications can access at other domains or ports.
“While looking at the traffic of the application, we found that several requests made by the app had misconfigured the CORS policy, ultimately allowing the sending of Ajax requests from any other Amazon subdomain,” Check Point writes. “This could potentially have allowed attackers with code-injection capabilities on one Amazon subdomain to perform a cross domain attack on another Amazon subdomain.”
To demonstrate the attack, Check Point crafted a malicious link using the subdomain “track.amazon.com” asking what “skills” - small apps that enable some other kind of functionality - are installed on the victim’s Alexa. The cross-site scripting vulnerability in the subdomain allowed for capturing a victim’s cookies.
The information is enough to send an Ajax request to skillsstore.amazon.com, which returns a CSRF token as well as a list of the skills attached to the Alexa account. Attackers can then either add or delete skills from the victim’s Alexa. The new skill can have an invocation phrase that matches a deleted skill, which means it will launch when the user says the right phrase.
In a demonstration video, Check Point shows how it could silently install a skill titled “Alexa, what’s my Flash Briefing” on a victim’s account. The skill purportedly delivers updates on Amazon Prime entertainment and shopping benefits. The video makes it appear that the app can then control a person’s home IoT devices, adjusting lights and shades.
But Amazon says that skill has actually never been published in its skill store, and it wouldn’t be possible to control a person’s home automation devices that way. Further, Amazon says it conducts security reviews to filter out malicious skills and dangerous ones are “blocked during certification or quickly deactivated.”
“So it’s less likely this part of what they demonstrated would succeed with an actual malicious skill,” Amazon says.
Researchers, however, have had success sneaking malicious skills or “actions,” which is how Google refers to such apps, onto the platforms. In December 2019, Security Research Labs showed how it was possible to sneak in apps that could be used to phish for sensitive data such as passwords.
A successful attack could have other impacts, Check Point says. For example, it could be possible to get a record of a user's voice history with Alexa. Other types of queries could reveal personal information, such as usernames and phone numbers, but that depends on what types of skills are on the account, Check Point says.
Check Point also says some types of bank-related data could be revealed through a voice history, but Amazon disputes this. Banking information is redacted in Alexa’s responses, Amazon says.
But the security firm contends that “Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history.”