A report by vulnerability testing experts states that a relatively old WiFi vulnerability affects millions of Amazon Echo and Kindle devices from different generations. This flaw, known as a KRACK attack, allows threat actors to deploy Man-in-The-Middle (MiTM) attacks to access a WiFi network with WPA2 protection.
The Key Reinstallation Attack (KRACK)
vulnerability was first reported two years ago and consists of a flaw in the
4-way handshake of the WPA2
WiFi security standard.
If exploited, this vulnerability allows hackers
to decrypt packets sent by clients, thus extracting sensitive information sent
in plain text. Vulnerability testing experts mention that even if this
vulnerability in WPA2 is exploited, encrypted traffic sent via wireless will
remain protected, so this could be considered a first-stage attack.
Correcting these vulnerabilities required
device manufacturers to release new firmware versions for potentially affected
models.
Regarding affected devices, vulnerability testing
experts mention that these are first-generation Amazon Echo smart speakers and
eighth generation Amazon Kindle e-book readers. Both devices are exposed to
exploiting the CVE-2017-13077 and CVE-2017-13078 vulnerabilities.
In their report, the researchers added:
“Using some pre-developed scripts it was possible to replicate the
reinstallation of peer-encryption keys (PTK-TK) on the four-way link
(CVE-2017-13077) and group key reinstallation (GKT) in the four-way link
(CVE-2017-13077) and group key reinstallation (GKT) on the four-way liaison
protocol (CVE-201713078.) “.
By exploiting these security flaws, an attacker
could perform various malicious tasks, such as:
- Replay
old packages to execute a denial of service (DoS) attack - Decrypt
any data or information transmitted by the victim - Falsify
data packets, have the device discard packets or even inject new packets,
depending on network settings - Intercept
sensitive information (passwords, cookies, etc.)
In addition to these vulnerabilities, experts
reported a flaw in Amazon Home Asssistant that could allow a hacker to steal
packages or deploy DoS attacks.
Security updates have already been installed on
most vulnerable devices, however, experts from the International Institute of
Cyber Security (IICS) recommend that users manually verify the installation of
the latest firmware versions.
