Jump to content

Millions of Amazon Echo and Kindle Devices Affected by WiFi Bug


steven36
 Share

Recommended Posts

Millions of Amazon Echo 1st generation and Amazon Kindle 8th generation are susceptible to an old WiFi vulnerability called KRACK that allows an attacker to perform a man in the middle attack against a WPA2 protected network.

 

124731490_157139761166772895.png

 

KRACK, or Key Reinstallation Attack,  is a vulnerability in the 4-way handshake of the WPA2 protocol that was disclosed in October 2017 by security researchers Mathy Vanhoef and Frank Piessens.

 

Using this attack, bad actors can decrypt packets sent by clients in order to steal sensitive information that is sent over plain text. While the WPA2 wireless connection of this network has been compromised by this attack, it is important to note that any encrypted traffic sent over the wireless network will still be protected from snooping.

 

In order to fix these vulnerabilities, hardware manufacturers needed to release new firmware for the affected devices.

Older Amazon devices are affected

In a report by the ESET Smart Home Research Team, the researchers have discovered that Amazon Echo 1st generation and Amazon Kindle 8th generation devices were still affected by the KRACK vulnerability.

 

When performing tests against the older Echo and Kindle devices, ESET discovered that the devices were vulnerable to the KRACK four-way handshake CVE-2017-13077 and CVE-2017-13078 vulnerabilities. 

 

"The Echo 1st  generation and Amazon Kindle 8th generation devices were found to be vulnerable to two  KRACK vulnerabilities", ESET researchers stated in their report. "Using Vanhoef’s scripts, we were able to replicate the reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake (CVE-2017-13077) and reinstallation of the group key (GTK) in the four-way handshake (CVE-2017-13078)."

 

124731384_eset-krack.jpg

Reinstallation of keys using CVE-2017-13077 on Amazon Echo

 

 

According to ESET these vulnerabilities could allow an attacker to:

  • replay old packets to execute a DoS attack, disrupt network communication or replay attack
  • decrypt any data or information transmited by the victim 
  • depending on the network configuration: forge data packets, cause the device to dismiss packets or even inject new packets
  • intercept sensitive information such as passwords or session cookies

 

The researchers also discovered that the Amazon Home Assistant was affected by an unrelated vulnerability that could allow an attacker to steal packets or perform a DoS attack.

Security update released for affected Amazon devices

ESET responsibly disclosed these bugs to Amazon on October 23rd, 2018 and was told that Amazon would look into the issues.

 

On January 8th, 2019, Amazon stated that they could replicate the bugs and had prepared patches that would be pushed out to affected devices in the coming weeks. This patch would come in the form of a new wpa_supplicant, which is a small program that controls the wireless protocols on the device.

"To patch CVE-2017-13077 and CVE-2017-13078 vulnerabilities in several million Echo 1st generation and Amazon Kindle 8th generation devices, Amazon issued and distributed a new version of the wpa_supplicant – a software application on the client device responsible for correct authentication to the Wi-Fi network."

Most users should have this update already installed for quite some time, but it is strongly advised that all users go into their Echo and Kindle settings and make sure they are using the latest firmware.

 

Source

  • Like 3
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...