The popular Amazon Echo, the original Amazon Alexa hardware, was found with security gaps that could allow attacks by ten key Reinstallation Attack (KRACK) vulnerabilities, as revealed by ESET's Smart Home Research Team. A similar finding was also found in at least one generation of Kindle, Amazon's widely used e-reader.
ESET informed of these vulnerabilities, which were subsequently corrected by the Amazon security team.
2017, two Belgian researchers, Mathy Vanhoef and Frank Piessens, found serious gaps in the WPA2 standard, a protocol that at that time kept virtually all of them Wi-Fi networks.
KRACK attacks primarily target the four-way handshake, a mechanism used for two purposes: to verify that the client and access point have the correct credentials, and to negotiate a traffic network cryptographic key. Even today, two years later, many Wi-Fi-enabled devices are still vulnerable to KRACK attacks.
"In recent years, hundreds of millions of homes have become 'smarter' and have access to the internet through one of the many popular home assistant devices on the market. Despite the efforts of some manufacturers to develop these devices for safety reasons, they often remain vulnerable, "says ESET researcher Miloš Čermák. "We found many security gaps in at least three Amazon devices, which could pose a great risk if we count the number of devices purchased," explains Čermák.
Echo's 1 generation and Amazon Kindle's 8 generation were found to be vulnerable to two KRACK vulnerabilities. These vulnerabilities are quite serious as they allow an attacker to: DoS attack, decrypt all data or information transmitted by the victim, tamper with data packets, force the device to reject packets or even retrieve news packages, and keep track of sensitive information such as passwords or cookies.
"It should be noted that KRACK attacks - like any other attack on Wi-Fi networks - must be carried out at close range to be effective," adds Miloš Čermák.
ESET informed about all the vulnerabilities it identified in Echo and Kindle and assisted the Amazon security team in fixing the issues.
For more details, read it related blogpost «What was wrong with Alexa? How Amazon Echo and Kindle got KRACKed ».