Published on October 19th, 2019 📆 | 7359 Views ⚑
0New Amazon Echo Warning As Wi-Fi Cyberattack Risk Confirmed
The Amazon Echo and some Kindle e-readers are open to a number of Wi-Fi vulnerabilities called Key ... [+]
Amazon Echo security concerns usually centre around how the always-listening device can collect your data without your knowledge. This has been a concern overshadowing all smart speaker devices made by the likes of Amazon, Google and Apple, with recent scandals including the use of external contractors to listen to recordings.
But now itâs emerged that the Amazon Echo and some Kindle e-readers are open to a number of Wi-Fi vulnerabilities that could allow something called a key reinstallation attack (KRACK). This would allow an adversary to perform a man in the middle attackâin other words have the ability to view and control trafficâacross a Wi-Fi network protected by the standard WPA2.
Discovered by the ESET Smart Home Research team, the risk was potentially major: Tens of millions of Echo devices have been sold in the U.S. alone, along with tens of millions of Kindles.
Smart speaker devices such as the Amazon Echo, Google Home and Apple HomePod are increasingly popular. And, despite the efforts of some vendors to develop these devices with security in mind, they often remain vulnerable, says ESET researcher MiloĹĄ ÄermĂĄk.
âWe identified multiple flaws in at least three Amazon devices, which could have posed a far-reaching security risk due to the numbers that have been sold,â ÄermĂĄk adds.
Amazon confirmed it has patched these vulnerabilities. A spokesperson told me: âCustomer trust is important to us and we take the security of our devices seriously. Customers received automatic security updates addressing this issue for their devices.â
What is the KRACK attack?
Discovered by researchers Mathy Vanhoef and Frank Piessens in 2017, the KRACK attack takes advantages of weaknesses in the WPA2 standard, which was at the time securing nearly all modern Wi-Fi networks. Most KRACK attacks were aimed at the so-called âfour way handshakeâ: This confirms that client and access point possess the right credentials, as well as negotiation of the key used to encrypt the traffic.
Many networks remain vulnerable to this type of cyberattack, and after this issue was confirmed hardware manufacturers had to release firmware updates for their devices to protect them.
In this case, the researchers confirmed the first generation Amazon Echo and the eighth generation of Amazonâs Kindle were vulnerable to two KRACK vulnerabilities. ESET said these could allow an adversary to execute a denial of service (DoS) attack (flooding the network with traffic); to decrypt any data or information transmitted by the victim; forge data packets, cause the device to dismiss packets or inject new packets; or intercept sensitive information such as passwords or session cookies.
Separately, the ESET researchers found the Amazon home assistant was susceptible to another network vulnerability called a broadcast replay attackâa network attack that can be abused by an adversary to launch a DoS attack.
Amazon Echo and Kindle security: What to do
First, there is no need to panic. The risk wonât apply to everyone and itâs not easy to perform this attack: You have to be close by to execute it. âIt should be noted that KRACK attacksâsimilarly to any other attack against Wi-Fi networksârequire close proximity to be effective,â adds MiloĹĄ ÄermĂĄk.
In addition, since the flaws were reported to Amazon in October last year, and were subsequently patched by Amazonâs security team in the first few months of this year, most devices should be protected. However, itâs still a good idea to check your firmware is up to date as soon as possible by looking in your Kindle settings or Echo app.
In fact, says Jake Moore, cybersecurity expert at ESET, itâs essential that users update their devicesâand not just the ones listed. âItâs easy to forget to patch a device when itâs working fine. But even when devices seem to have no issue, itâs still important to update when advised.â
In addition he says: âIt goes without saying that your router should be given an extremely strong and unique password and people are advised to change their router passwords or at the very leastâbump any unknown linked devices off the router.â
">
Amazon Echo security concerns usually centre around how the always-listening device can collect your data without your knowledge. This has been a concern overshadowing all smart speaker devices made by the likes of Amazon, Google and Apple, with recent scandals including the use of external contractors to listen to recordings.
But now itâs emerged that the Amazon Echo and some Kindle e-readers are open to a number of Wi-Fi vulnerabilities that could allow something called a key reinstallation attack (KRACK). This would allow an adversary to perform a man in the middle attackâin other words have the ability to view and control trafficâacross a Wi-Fi network protected by the standard WPA2.Â
Discovered by the ESET Smart Home Research team, the risk was potentially major: Tens of millions of Echo devices have been sold in the U.S. alone, along with tens of millions of Kindles.Â
Smart speaker devices such as the Amazon Echo, Google Home and Apple HomePod are increasingly popular. And, despite the efforts of some vendors to develop these devices with security in mind, they often remain vulnerable, says ESET researcher MiloĹĄ ÄermĂĄk.Â
âWe identified multiple flaws in at least three Amazon devices, which could have posed a far-reaching security risk due to the numbers that have been sold,â ÄermĂĄk adds.
Amazon confirmed it has patched these vulnerabilities. A spokesperson told me: âCustomer trust is important to us and we take the security of our devices seriously. Customers received automatic security updates addressing this issue for their devices.â
What is the KRACK attack?
Discovered by researchers Mathy Vanhoef and Frank Piessens in 2017, the KRACK attack takes advantages of weaknesses in the WPA2 standard, which was at the time securing nearly all modern Wi-Fi networks. Most KRACK attacks were aimed at the so-called âfour way handshakeâ: This confirms that client and access point possess the right credentials, as well as negotiation of the key used to encrypt the traffic.Â
Many networks remain vulnerable to this type of cyberattack, and after this issue was confirmed hardware manufacturers had to release firmware updates for their devices to protect them.
In this case, the researchers confirmed the first generation Amazon Echo and the eighth generation of Amazonâs Kindle were vulnerable to two KRACK vulnerabilities. ESET said these could allow an adversary to execute a denial of service (DoS) attack (flooding the network with traffic); to decrypt any data or information transmitted by the victim; forge data packets, cause the device to dismiss packets or inject new packets; or intercept sensitive information such as passwords or session cookies.
Separately, the ESET researchers found the Amazon home assistant was susceptible to another network vulnerability called a broadcast replay attackâa network attack that can be abused by an adversary to launch a DoS attack.
Amazon Echo and Kindle security: What to do
First, there is no need to panic. The risk wonât apply to everyone and itâs not easy to perform this attack: You have to be close by to execute it. âIt should be noted that KRACK attacksâsimilarly to any other attack against Wi-Fi networksârequire close proximity to be effective,â adds MiloĹĄ ÄermĂĄk.
In addition, since the flaws were reported to Amazon in October last year, and were subsequently patched by Amazonâs security team in the first few months of this year, most devices should be protected. However, itâs still a good idea to check your firmware is up to date as soon as possible by looking in your Kindle settings or Echo app.Â
In fact, says Jake Moore, cybersecurity expert at ESET, itâs essential that users update their devicesâand not just the ones listed. âItâs easy to forget to patch a device when itâs working fine. But even when devices seem to have no issue, itâs still important to update when advised.â
In addition he says: âIt goes without saying that your router should be given an extremely strong and unique password and people are advised to change their router passwords or at the very leastâbump any unknown linked devices off the router.â
Gloss