Category
Needless to say that we are all familiar with IoT devices in the 21st century and at least have a couple of them in our homes. The Internet of Things (IoT) refers to the network of physical objects—“things”—that are embedded with sensors, software, and any other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.
I don’t know for the most but I’m guilty of being totally dependent on these devices, particularly Alexa or Google Home. From setting up an alarm to knowing how the weather is with voice command, is just way more convenient than using the smartphone. More importantly, you can use it to control your other devices such as turning on lights, the thermostat and for the advanced users, there are so many other fascinating things you can do.
Albeit, this post is not just about how valuable these devices are but rather the security vulnerabilities of these devices and what we can do to protect them better. Before we get into all the technical details; for the non-tech-savvy readers, I will attempt a simple explanation. Have you ever noticed that when you connect to your wi-fi, you can see the names of all the devices that are connected to it? or when somebody listening to music in their device and you can see the song they are playing or a movie they are watching? This is because all of these devices are connected with each other, now obviously you can’t access another person’s information just by connecting to the same network but the point I’m trying to make is that it is still connected and hence it is not too impossible for a professional to hijack it to see more than just the device name. Another way hackers are finding it’s way to hack Alexa is through installing fake skills such as when a user request Alexa to install “Capital One App” the can be tricked to install a fake skill called “Capital Won” which is a fake skill with malicious intent such as stealing customer’s information.
Recent research published by the checkpoint indicates that a number of Amazon and Alexa subdomains were susceptible to a Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting (XSS). By using XSS, the attacker is capable to receive a CSRF token that would issue them access to elements of the smart home installation. As a result, hackers can install any fake skills to exploit the systems. For instance; when the user invokes the installed skill, these flaws might have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their speech history, and steal personal information. The research claims that it would need only one click on a carefully designed Amazon link to successfully exploit the vulnerability.