Threat researchers at Slovakian antivirus and firewall specialist ESET have warned of a continued vulnerability in first-generation Amazon Echo and eighth-generation Amazon Kindle devices that leaves them open to being exploited by the Key Reinstallation Attack (Krack) Wi-Fi exploit, and suggests that millions of Amazon customers are failing to keep their devices up to date.
Initially identified by a Belgian security researcher in 2017, the Krack vulnerability is particularly concerning because rather than affecting end-user routers or devices, it exploits the WPA2 wireless security standard.
A Krack attack targets the four-way handshake in the WPA2 protocol that executes when a client device attempts to join a protected Wi-Fi network. This handshake confirms that both device and access point have the right credentials and negotiates a new key to encrypt session traffic.
The vulnerability enables these handshakes to be manipulated and replayed so that an attacker can trick a device into reinstalling a key that is already in use. In this way, they can gain visibility of data transiting the Wi-Fi network.
After its discovery, the security community put out mixed messages as to how serious the Krack flaw actually was. At the time, it was noted extensively that nobody had exploited it in the wild, partly because a successful exploit relies on the attacker being within range of the Wi-Fi network.
Also, it was easily patched, and when it was publicly disclosed, device manufacturers had already been working on fixes for a few months.
This makes its continued existence in Amazon devices particularly concerning, according to Boris Cipot, senior security engineer at Synopsys. “The Krack vulnerability is a rather troubling flaw allowing attackers to observe data that was previously assumed to be secured, when a user is connected to Wi-Fi,” he said.
ESET disclosed the continued existence of the flaws in Echo and Kindle devices to Amazon 12 months ago, and a patch was issued earlier in 2019.
ESET researcher Miloš Čermák said: “In recent years, hundreds of millions of homes have become smarter and internet-enabled via one of the many popular home assistant devices available on the market. Despite the efforts of some vendors to develop these devices with security in mind, they often remain vulnerable.
“We identified multiple flaws in at least three Amazon devices, which could have posed a far-reaching security risk due to the numbers in which they have been sold.”
Cybereason chief security officer Sam Curry added: “The Amazon Echo, Kindle and the entire Amazon home automation suite sits at the intersection of our personal and digital lives. The implications at home and at work and how to accommodate these devices safely and securely are still being discovered. Wi-Fi sniffing, interception and hijacking are nothing new, but this latest development may have more implications than simply snooping on your Kindle reading habits.
“Keep in mind that businesses have commercial relationships in place with AWS and your Amazon identity is often linked to your home, your bank accounts and credit cards. It is a good idea for Amazon to think carefully about all of its common components and this usage sooner rather than later.”
Synopsys’ Cipot said: “To check if the patch has been successfully installed on your Echo, you can ask Alexa to ‘check for software updates’. In doing so, Alexa will check whether your device has the latest software updates installed. You can also carry this out manually by going into your Alexa app, under ‘Devices’ where you can select your Echo device(s). From there, under ‘About’, you can read about the latest software information pertinent to your device. The latest version available is 641571120.
“To check if the patch has been successfully installed on your Kindle, from your Home screen, go to ‘Settings’ and click on the menu button to open device information. You should have the latest version (5.12.1) installed on your device. If not, you should install this specific version immediately to ensure your device is not susceptible to Krack or other potential vulnerabilities that have been resolved with this update.”
As well as the Krack vulnerability, ESET’s research team uncovered an unrelated vulnerability in Echo devices that left users exposed to a broadcast replay attack, which is where a valid transmission is fraudulently repeated and accepted by the target device. Such attacks can be abused to launch distributed denial of service (DDoS) attacks or collect packets for future brute-force attacks.