What is voice SQL injection and how Alexa was hacked with it?

Each web application has different security measures to ensure data protection and user access control. However, experts mention that most users do not have knowledge of web application security and their uses in practice.

Although there are some safety standards for the use of applications in various fields, such as financial services, health and commerce, other industries do not have such prevention measures. In addition, despite the existence of these standards, no one has thought about its possible expansion to new technologies, such as voice assistants (Alexa, Siri, Cortana, among others), which makes this technology a potential attack vector.

Web application security specialists claim that it is currently really easy to compromise the security of multiple applications using only voice. Using SQL injection techniques of voice commands, it is possible to access some applications or break into a system to extract sensitive information.

Tal Melamed, web application security specialist and ethical hacker at security firm Protego, has revealed a method to execute a SQL injection using a voice command and gain access to sensitive data from the target system, in this case the Alexa voice assistant.

The expert managed to abuse the voice assistant to access unsafe applications, verbally entering account numbers and simple text messages. For testing, the expert used an application and a database of his own creation; however, it is possible to compromise virtually any application that uses account numbers or text as a means of authentication.

In a slightly simplified way, here are the steps taken by the expert to complete the attack:

  • The expert tried to access an administrator account for which he did not have authorization with the name and identification of the account
  • Alexa originally denied the expert’s request
  • The expert tried to dodge Alexa’s refusal by calling a random number with syntax that would trigger SQL injection
  • When the system requested an account ID, the expert only said a random number and added another command, which gave him access to any line in the database
  • In the end, Alexa provided the expert with the balance information of the unauthorized administrator account

According to the web application security specialists from the International Institute of Cyber Security (IICS) this is not an Alexa vulnerability, but is a flaw in the applications that work with the voice assistant. While it will always be recommended that voice assistants stay ahead of the curve in terms of security, it is really necessary that applications that interact with these developments have better security measures against voice SQL injection.