New Amazon Echo Warning As Wi-Fi Cyberattack Risk Confirmed

Amazon Echo security concerns usually centre around how the always-listening device can collect your data without your knowledge. This has been a concern overshadowing all smart speaker devices made by the likes of Amazon, Google and Apple, with recent scandals including the use of external contractors to listen to recordings.

But now it’s emerged that the Amazon Echo and some Kindle e-readers are open to a number of Wi-Fi vulnerabilities that could allow something called a key reinstallation attack (KRACK). This would allow an adversary to perform a man in the middle attack–in other words have the ability to view and control traffic–across a Wi-Fi network protected by the standard WPA2. 

Discovered by the ESET Smart Home Research team, the risk was potentially major: Tens of millions of Echo devices have been sold in the U.S. alone, along with tens of millions of Kindles. 

Smart speaker devices such as the Amazon Echo, Google Home and Apple HomePod are increasingly popular. And, despite the efforts of some vendors to develop these devices with security in mind, they often remain vulnerable, says ESET researcher Miloš Čermák. 

“We identified multiple flaws in at least three Amazon devices, which could have posed a far-reaching security risk due to the numbers that have been sold,” Čermák adds.

Amazon confirmed it has patched these vulnerabilities. A spokesperson told me: “Customer trust is important to us and we take the security of our devices seriously. Customers received automatic security updates addressing this issue for their devices.”

What is the KRACK attack?

Discovered by researchers Mathy Vanhoef and Frank Piessens in 2017, the KRACK attack takes advantages of weaknesses in the WPA2 standard, which was at the time securing nearly all modern Wi-Fi networks. Most KRACK attacks were aimed at the so-called “four way handshake”: This confirms that client and access point possess the right credentials, as well as negotiation of the key used to encrypt the traffic. 

Many networks remain vulnerable to this type of cyberattack, and after this issue was confirmed hardware manufacturers had to release firmware updates for their devices to protect them.

In this case, the researchers confirmed the first generation Amazon Echo and the eighth generation of Amazon’s Kindle were vulnerable to two KRACK vulnerabilities. ESET said these could allow an adversary to execute a denial of service (DoS) attack (flooding the network with traffic); to decrypt any data or information transmitted by the victim; forge data packets, cause the device to dismiss packets or inject new packets; or intercept sensitive information such as passwords or session cookies.

Separately, the ESET researchers found the Amazon home assistant was susceptible to another network vulnerability called a broadcast replay attack–a network attack that can be abused by an adversary to launch a DoS attack.

Amazon Echo and Kindle security: What to do

First, there is no need to panic. The risk won’t apply to everyone and it’s not easy to perform this attack: You have to be close by to execute it. “It should be noted that KRACK attacks–similarly to any other attack against Wi-Fi networks–require close proximity to be effective,” adds Miloš Čermák.

In addition, since the flaws were reported to Amazon in October last year, and were subsequently patched by Amazon’s security team in the first few months of this year, most devices should be protected. However, it’s still a good idea to check your firmware is up to date as soon as possible by looking in your Kindle settings or Echo app. 

In fact, says Jake Moore, cybersecurity expert at ESET, it’s essential that users update their devices–and not just the ones listed. “It’s easy to forget to patch a device when it’s working fine. But even when devices seem to have no issue, it’s still important to update when advised.”

In addition he says: “It goes without saying that your router should be given an extremely strong and unique password and people are advised to change their router passwords or at the very least–bump any unknown linked devices off the router.”

">

Amazon Echo security concerns usually centre around how the always-listening device can collect your data without your knowledge. This has been a concern overshadowing all smart speaker devices made by the likes of Amazon, Google and Apple, with recent scandals including the use of external contractors to listen to recordings.

But now it’s emerged that the Amazon Echo and some Kindle e-readers are open to a number of Wi-Fi vulnerabilities that could allow something called a key reinstallation attack (KRACK). This would allow an adversary to perform a man in the middle attack–in other words have the ability to view and control traffic–across a Wi-Fi network protected by the standard WPA2. 

Discovered by the ESET Smart Home Research team, the risk was potentially major: Tens of millions of Echo devices have been sold in the U.S. alone, along with tens of millions of Kindles. 

Smart speaker devices such as the Amazon Echo, Google Home and Apple HomePod are increasingly popular. And, despite the efforts of some vendors to develop these devices with security in mind, they often remain vulnerable, says ESET researcher Miloš Čermák. 

“We identified multiple flaws in at least three Amazon devices, which could have posed a far-reaching security risk due to the numbers that have been sold,” Čermák adds.

Amazon confirmed it has patched these vulnerabilities. A spokesperson told me: “Customer trust is important to us and we take the security of our devices seriously. Customers received automatic security updates addressing this issue for their devices.”

What is the KRACK attack?

Discovered by researchers Mathy Vanhoef and Frank Piessens in 2017, the KRACK attack takes advantages of weaknesses in the WPA2 standard, which was at the time securing nearly all modern Wi-Fi networks. Most KRACK attacks were aimed at the so-called “four way handshake”: This confirms that client and access point possess the right credentials, as well as negotiation of the key used to encrypt the traffic. 

Many networks remain vulnerable to this type of cyberattack, and after this issue was confirmed hardware manufacturers had to release firmware updates for their devices to protect them.

In this case, the researchers confirmed the first generation Amazon Echo and the eighth generation of Amazon’s Kindle were vulnerable to two KRACK vulnerabilities. ESET said these could allow an adversary to execute a denial of service (DoS) attack (flooding the network with traffic); to decrypt any data or information transmitted by the victim; forge data packets, cause the device to dismiss packets or inject new packets; or intercept sensitive information such as passwords or session cookies.

Separately, the ESET researchers found the Amazon home assistant was susceptible to another network vulnerability called a broadcast replay attack–a network attack that can be abused by an adversary to launch a DoS attack.

Amazon Echo and Kindle security: What to do

First, there is no need to panic. The risk won’t apply to everyone and it’s not easy to perform this attack: You have to be close by to execute it. “It should be noted that KRACK attacks–similarly to any other attack against Wi-Fi networks–require close proximity to be effective,” adds Miloš Čermák.

In addition, since the flaws were reported to Amazon in October last year, and were subsequently patched by Amazon’s security team in the first few months of this year, most devices should be protected. However, it’s still a good idea to check your firmware is up to date as soon as possible by looking in your Kindle settings or Echo app. 

In fact, says Jake Moore, cybersecurity expert at ESET, it’s essential that users update their devices–and not just the ones listed. “It’s easy to forget to patch a device when it’s working fine. But even when devices seem to have no issue, it’s still important to update when advised.”

In addition he says: “It goes without saying that your router should be given an extremely strong and unique password and people are advised to change their router passwords or at the very least–bump any unknown linked devices off the router.”

Comments are closed.