What is voice SQL injection and how Alexa was hacked with it?
Each web application has different security measures to ensure data protection and user access control. However, experts mention that most users do not have knowledge of web application security and their uses in practice.
Although there are some safety standards for the use of applications in various fields, such as financial services, health and commerce, other industries do not have such prevention measures. In addition, despite the existence of these standards, no one has thought about its possible expansion to new technologies, such as voice assistants (Alexa, Siri, Cortana, among others), which makes this technology a potential attack vector.
Web application security specialists claim that
it is currently really easy to compromise the security of multiple applications
using only voice. Using SQL
injection techniques of voice commands, it is possible to access some
applications or break into a system to extract sensitive information.
Tal Melamed, web application security
specialist and ethical hacker at security firm Protego, has revealed a method
to execute a SQL injection using a voice command and gain access to sensitive
data from the target system, in this case the Alexa voice assistant.
The expert managed to abuse the voice assistant
to access unsafe applications, verbally entering account numbers and simple
text messages. For testing, the expert used an application and a database of
his own creation; however, it is possible to compromise virtually any
application that uses account numbers or text as a means of authentication.
In a slightly simplified way, here are the
steps taken by the expert to complete the attack:
- The
expert tried to access an administrator account for which he did not have
authorization with the name and identification of the account - Alexa
originally denied the expert’s request - The
expert tried to dodge Alexa’s refusal by calling a random number with syntax
that would trigger SQL injection - When
the system requested an account ID, the expert only said a random number and
added another command, which gave him access to any line in the database - In
the end, Alexa provided the expert with the balance information of the
unauthorized administrator account
According to the web application security
specialists from the International Institute of Cyber Security (IICS) this is
not an Alexa vulnerability, but is a flaw in the applications that work with
the voice assistant. While it will always be recommended that voice assistants
stay ahead of the curve in terms of security, it is really necessary that
applications that interact with these developments have better security
measures against voice SQL injection.
Gloss