ESET discovers Amazon Echo and Kindle got KRACKed

In IoT, News

ESET Smart Home Research Team recently discovered that the popular Amazon Echo – the original hardware of Amazon Alexa – was open to a number of the ten Key Reinstallation Attack (KRACK) vulnerabilities. This was also the case for at least one generation of the Amazon’s widely used Kindle e-readers. Identified flaws were reported to, and subsequently patched by, Amazon’s security team.

In 2017, two Belgian researchers, Mathy Vanhoef and Frank Piessens found serious weaknesses in the WPA2 standard, a protocol that at that time was securing virtually all modern Wi-Fi networks. KRACK attacks were mostly aimed against the four-way handshake – a mechanism used for two purposes: confirming that both the client and access point possess the correct credentials, and negotiation of the key used for encryption of the traffic. Even now, two years later, many Wi-Fi enabled devices are still vulnerable to KRACK attacks.

“In recent years, hundreds of millions of homes have become smarter and internet-enabled via one of the many popular home assistant devices available on the market. Despite the efforts of some vendors to develop these devices with security in mind, these often remain vulnerable,” says ESET researcher Miloš Čermák. “We identified multiple flaws in at least three Amazon devices, which could have posed a far-reaching security risk due to the numbers in which they have been sold,” explains Čermák.

The Echo 1st  generation and Amazon Kindle 8th generation devices were found to be vulnerable to two KRACK vulnerabilities.  These vulnerabilities are quite severe as they allow an attacker to: execute a DoS attack; decrypt any data or information transmited by the victim; forge data packets, cause the device to dismiss packets or even inject new packets; intercept sensitive information such as passwords or session cookies.

“It should be noted that KRACK attacks – similar to any other attack against Wi-Fi networks – require close proximity to be effective,” adds Miloš Čermák.

ESET reported all identified vulnerabilities in Echo and Kindle, and assisted Amazon’s security team while they fixed the issues.

Comments

You may also read!

Mimecast acquires DMARC Analyzer

Mimecast, today announced it has acquired DMARC Analyzer, a SaaS-based solution provider that offers user-friendly Domain-based Message Authentication, Reporting

Read More...

Five ways to strengthen employee cybersecurity awareness

Juan Manuel Harán, Security Editor at ESET discusses how can organizations foster a workplace environment that enables employees to

Read More...

SANS Institute identifies security blind spots

SANS Institute conducted an survey, “Effectively Addressing Advanced Threats,” and the findings reveal that a continued lack of visibility

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu