A report by vulnerability testing experts states that a relatively old WiFi vulnerability affects millions of Amazon Echo and Kindle devices from different generations. This flaw, known as a KRACK attack, allows threat actors to deploy Man-in-The-Middle (MiTM) attacks to access a WiFi network with WPA2 protection.
The Key Reinstallation Attack (KRACK) vulnerability was first reported two years ago and consists of a flaw in the 4-way handshake of the WPA2 WiFi security standard.
If exploited, this vulnerability allows hackers to decrypt packets sent by clients, thus extracting sensitive information sent in plain text. Vulnerability testing experts mention that even if this vulnerability in WPA2 is exploited, encrypted traffic sent via wireless will remain protected, so this could be considered a first-stage attack.
Correcting these vulnerabilities required device manufacturers to release new firmware versions for potentially affected models.
Regarding affected devices, vulnerability testing experts mention that these are first-generation Amazon Echo smart speakers and eighth generation Amazon Kindle e-book readers. Both devices are exposed to exploiting the CVE-2017-13077 and CVE-2017-13078 vulnerabilities.
In their report, the researchers added: “Using some pre-developed scripts it was possible to replicate the reinstallation of peer-encryption keys (PTK-TK) on the four-way link (CVE-2017-13077) and group key reinstallation (GKT) in the four-way link (CVE-2017-13077) and group key reinstallation (GKT) on the four-way liaison protocol (CVE-201713078.) “.
By exploiting these security flaws, an attacker could perform various malicious tasks, such as:
- Replay old packages to execute a denial of service (DoS) attack
- Decrypt any data or information transmitted by the victim
- Falsify data packets, have the device discard packets or even inject new packets, depending on network settings
- Intercept sensitive information (passwords, cookies, etc.)
In addition to these vulnerabilities, experts reported a flaw in Amazon Home Asssistant that could allow a hacker to steal packages or deploy DoS attacks.
Security updates have already been installed on most vulnerable devices, however, experts from the International Institute of Cyber Security (IICS) recommend that users manually verify the installation of the latest firmware versions.