From creepy laughs to spy bugs, Amazon’s Echo devices have been in the limelight for more than a dozen or two reasons, and it seems like Alexa is going to hog maybe a bit more of your attention due to a “Krack” on the wall.
Reports have emerged stating that the millions of first-generation Amazon Echo devices and even the eighth generation Kindle are susceptible to a Krack WiFi vulnerability. The vulnerability allows hackers to execute a man-in-the-middle attack against a WPA2 protected the network.
Krack, a jazzy abbreviation of Key Reinstallation Attack was first revealed by researchers Mathy Vanhoef and Frank Piessens in 2017. The vulnerability existed in the four-way handshake of the WPA2 protocol, which secured almost all modern Wi-Fi networks at that time.
According to researchers, attackers could have easily exploited the vulnerability by using key reinstallation attack if the victim was within the network. The attack would enable access to details like passwords, email, photos, and even financial data like credit card numbers were among several other personal and sensitive data that was vulnerable.
After the vulnerability was discovered, Amazon had released a patch for affected devices early this year after researchers from ESET informed the Amazon about the vulnerability. But “Krack” has cracked its way open to the surface, and researchers from ESET have discovered and again confirmed that the first-generation Amazon Echo and the eighth generation of Kindle are still affected by “Krack” vulnerability.
“The Echo 1st generation and Amazon Kindle 8th generation devices were found to be vulnerable to two KRACK vulnerabilities”, ESET researchers stated in their report. “Using Vanhoef’s scripts, we were able to replicate the reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake (CVE-2017-13077) and reinstallation of the group key (GTK) in the four-way handshake (CVE-2017-13078).”
Even though Amazon had patched the vulnerability, the reason why Krack still looms in the air is that several users may not have updated their devices and ESET has urged users to go to the setting of these devices to make sure they are running the latest firmware.
Vulnerabilities in Amazon Echo devices are not a new thing and it has echoed even before. In the last edition of DEFCON security conference researchers Wu HuiYu and Qian Wenxiang gave a live demonstration on how to hack a smart speaker. The team used Amazon Echo smart speakers to present their attack program.
The researchers hacked the speaker by adding a malicious device embedded with an attack program. “After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and achieve remote eavesdropping,” the researchers said in a media report. “When the attack succeeds, we can control Amazon Echo for eavesdropping and send the voice data through a network to the attacker.”