Alexa, Security Flawed?

An intelligent virtual assistant (IVA) or intelligent personal assistant (IPA) is a software agent that can perform tasks or services for an individual based on commands or questions. Amazon Alexa, commonly known as “Alexa” is an AI based virtual assistant developed by Amazon, capable of voice interaction, music playback, setting alarms and other tasks, including controlling smart devices as part of a home automation system. Users are able to extend Alexa s capabilities by installing “skills” – additional functionality developed by third-party vendors which can be thought of as apps – such as weather programs and audio features.

Misconfigured Cross-Origin Resource Sharing (CORS) Policy

It was once possible to look at the traffic of the application and see several requests made by the app with a misconfigured the CORS policy. This allows the sending of Ajax requests from any other Amazon sub-domain. This weakness could potentially allow attackers with code-injection capabilities on one Amazon subdomain to perform a cross domain attack on another Amazon subdomain.

Attack Capability

Using the above example of an Alexa security flaw, there are many attack capabilities that could occur.

Get Skill List: This could allow the attacker to view the entire skill list of the victim’s account. This information can be used later to replace one of the victim’s skills with a published skill that the attacker chooses from the skills store.

Silently Remove an Installed Skill: This allows the attacker to remove a skill from the victim’s account. The skill we removed is one of the skills in the list we received in the previous API request.

Get Victim’s Voice History with Alexa: This allows the attacker to get the victim’s voice history with Alexa. The attacker could view the voice command history and Alexa’s response to them. This could lead to exposure of personal information, such as any private information it could have heard and recorded.

The Problem with Skills

For skills to pass Amazon’s vetting process, they must abide by Amazon’s privacy policy and meet security requirements for hosting services on external servers. Some researchers worry that Amazon’s vetting is not strict enough. Concerns have also been raised about the Alexa privacy policy and how it affects users’ data.

The first is the potential for duplicate invocation phrases. When developers register their skills with Amazon, some have found loopholes that allow them to use the same phrase as popular brand names. The issue that arises from duplicate invocation names is the increased threat of phishing attacks. When users download a skill, this usually gives a third party access to the user’s email address. Using the name of a popular brand can add fake legitimacy to phishing emails sent by the third party, encouraging users to fall victim to this malicious practice. The second major issue is that developers are able to make code alterations to their apps after they’ve already been vetted by Amazon. This means developers could go back and either accidentally or purposely make changes to the code that opens their apps up to malware and other cyber threats.

Takeaway

Security issues with Amazon Alexa skills should serve as a lesson for other organisations. Namely that if they open their product or service up to integration with third parties, there are many factors to consider to ensure organisations and their users’ data remains protected. Businesses planning to open their products or platforms to third party integrations should develop a comprehensive and stringent vetting process to guarantee proper security precautions are in place and require full transparency over how user data is collected and used. In addition, the way that IoT infrastructure works, one with many points of possible failure, there needs to be measures in place to protect users for examples of vulnerabilities stated above. Locking in a secure skill vetting process should be the first port of call, for user's data to be as exposed as it has been in the past, we must patch up flaws now as the industry could grow into something we cannot control.