Amazon Echo and Kindle vulnerable to KRACK attacks: ESET
Vulnerabilities allow an attacker to execute a DoS, other attacks
ESET Smart Home Research Team recently discovered that the Amazon Echo 1st generation and Amazon Kindle 8th generation devices were vulnerable to two Key Reinstallation Attack (KRACK) vulnerabilities.
These vulnerabilities allow an attacker to execute a DoS attack; decrypt any data or information transmitted by the victim; forge data packets, cause the device to dismiss packets or even inject new packets; intercept sensitive information such as passwords or session cookies.
“In recent years, hundreds of millions of homes have become smarter and internet-enabled via one of the many popular home assistant devices available on the market. Despite the efforts of some vendors to develop these devices with security in mind, these often remain vulnerable,” said ESET researcher Miloš Čermák. “We identified multiple flaws in at least three Amazon devices, which could have posed a far-reaching security risk due to the numbers in which they have been sold,” he added.
In 2017, two Belgian researchers, Mathy Vanhoef and Frank Piessens found serious weaknesses in the WPA2 standard, a protocol that at that time was securing virtually all modern Wi-Fi networks. KRACK attacks were mostly aimed against the four-way handshake – a mechanism used for two purposes: confirming that both the client and access point possess the correct credentials, and negotiation of the key used for encryption of the traffic. Even now, two years later, many Wi-Fi enabled devices are still vulnerable to KRACK attacks.
It should be noted that KRACK attacks – similar to any other attack against Wi-Fi networks – require close proximity to be effective.
ESET reported all identified vulnerabilities in Echo and Kindle to Amazon who fixed the issues.