Info Glaring Amazon Alexa Security Flaw

[digitalgriffin]

I discovered this one today about 2 hours ago.

When I powered up a new Amazon Alexa Show 5 for my kids room, my security software immediately alerted me to a new device on the network.

I hadn't even configured the device yet. How did it connect to my network? The best I could figure was it reached out to other devices in the house from Amazon and asked for the local network key.

This is a BIG F'N NO! I don't even let google backup our network access keys.

 

[NightHawkRMX]

My apple phones do that. If 2 phones are on the same apple id and one device is connected to the wifi network, it will use Bluetooth to send the credentials to my other phone auto-connecting it to wifi.

 

[digitalgriffin]

My apple phones do that. If 2 phones are on the same apple id and one device is connected to the wifi network, it will use Bluetooth to send the credentials to my other phone auto-connecting it to wifi.

That might be acceptable. But the device was not preconfigured in any way. So there was no collaborating ID.

The problem here is anyone could walk up close to your house, broadcast an amazon connect signal and hijack your network without verification.

 

[britechguy]

Not if the Alexa devices share with encryption enabled, which I presume they do, and that only they can decrypt the exchanged information.

 

[TJ Hooker]

That might be acceptable. But the device was not preconfigured in any way. So there was no collaborating ID.

If you bought it through Amazon it comes linked to the Amazon account you bought it with I believe. At least I think I remember that being the case when I bought a fire stick a while back.

 

[digitalgriffin]

If you bought it through Amazon it comes linked to the Amazon account you bought it with I believe. At least I think I remember that being the case when I bought a fire stick a while back.

So you are telling me Amazon takes the device, programs it at the warehouse, then packages it up with sealed plastic wrap and seals it in the box, all pre-programmed with my information?

If that were the case, it wouldn't have asked me to log into the Amazon account AFTER it connected to my network. Somehow I find the pre-programmed route...doubtful.

 

[USAFRet]

UPnP in your router.
Turn it OFF.

 

[digitalgriffin]

UPnP in your router.
Turn it OFF.

It is off. But this is a WiFi connection issue.

 

[TJ Hooker]

So you are telling me Amazon takes the device, programs it at the warehouse, then packages it up with sealed plastic wrap and seals it in the box, all pre-programmed with my information?

If that were the case, it wouldn't have asked me to log into the Amazon account AFTER it connected to my network. Somehow I find the pre-programmed route...doubtful.

Well, no, I'm not saying that's necessarily how they do it. If this is something they do, it could be something like they link the S/N of the device to your account, such that when you first connect to the internet it'd contact the Amazon servers and get the credentials linked to its S/N (maybe just the login name, not the password). Or maybe I'm crazy, but I was sure I remembered something like this happening when I got my firestick.

But you're right, wouldn't explain how it would get your wifi password.

 

[ss202sl]

That's not a flaw... It's a feature

 

[USAFRet]

Possibly a guest SSID enabled?

I can't visualize any method of it discovering your internal WiFi credentials.

 

[USAFRet]

And this is why all my alexa/dot/echo devices are right where they are supposed to be.
Still on the warehouse shelf, unpurchased.

 

[digitalgriffin]

Possibly a guest SSID enabled?

I can't visualize any method of it discovering your internal WiFi credentials.

Nope. I lock my network down pretty tight. I turn off DHCP and assign each device to a static IP and log everything and run it through two firewalls.

I'm taking a guess, but considering there's already an amazon alexa device in the house (my sons room) the new device connected to that, and used a blind trust request to retrieve the network password.

It's possible it connected to my wife's phone via bluetooth which was upstairs and running alexa. But that is still a security violation in my book. At the very least the amazon device holding the information should ask permission before sharing credentials.

 

[USAFRet]

Ah yes....talking to another amazon device might be it.

 

[NightHawkRMX]

I got a google home mini a few years ago for pretty cheap and was disappointed.

Voice assistant was nice, but the novelty wore off quickly. I did use it to play music, however, they required you to pay for this service and the speaker was pretty crappy. They don't even let you plug in another speaker. Likely to try to upsell you on a google home max.

I might try to mod an output onto it, but i have no clue how to crack it open.

 

[AllanGH]

If you bought it through Amazon it comes linked to the Amazon account you bought it with I believe.

This is true. Every Echo device that I have purchased has been linked to my AMZ account. (Bit of a pain when I forget about it and I buy one as a gift.)

So you are telling me Amazon takes the device, programs it at the warehouse, then packages it up with sealed plastic wrap and seals it in the box, all pre-programmed with my information?

No. The serial number is linked to your AMZ account.

The device is broadcasting to allow you to connect to it with the AMZ app. It's likely that your network is detecting a WiFi ARP broadcast.

 

[britechguy]

And as an editiorial, and entirely personal, side opinion, worrying about one's WiFi password being exchanged between dedicated Amazon devices pales in comparison to being constantly on a several minute audio collection loop inside the home in whatever rooms these devices are located in (or can "hear" from).

I have a friend who's blind who absolutely adores her Alexa units (a regular and two dots, I think, maybe only one dot) and in her case I can see why.

For myself, I don't use a single solitary voice recognition controlled device that interacts with the internet and never will. I shackled Cortana down to basic "old Windows search" on my first day of Windows 10 use in 2015. I just find the whole idea creepy because of what has to be done behind the scenes to implement the convenience that even I will not deny these devices provide. It's not worth the trade-off for me.

 

[NightHawkRMX]

I shackled Cortana down to basic "old Windows search" on my first day of Windows 10 use in 2015.

I used Cortona for a bit after upgrading my laptop from windows 8.1. I found it was annoying and much less useful than Siri. Disabled now. I hate how Cortana yaps on and on endlessly when you install Windows 10.

I don't use any voice recognition software anymore.

 

[TJ Hooker]

And as an editiorial, and entirely personal, side opinion, worrying about one's WiFi password being exchanged between dedicated Amazon devices pales in comparison to being constantly on a several minute audio collection loop inside the home in whatever rooms these devices are located in (or can "hear" from).

I also have some strong feelings about surrounding myself with audio recording devices, but privacy and security are two different things.

 

[NightHawkRMX]

privacy and security

2 different things that often go hand in hand.

 

[britechguy]

2 different things that often go hand in hand.

Indeed.

This is where one of my favorite quotations applies:

If you think that you can think about a thing, inextricably attached to something else, without thinking of the thing it is attached to, then you have a legal mind.
~ Thomas Reed Powell

I have never had a legal mind.

 

[britechguy]

That's not a flaw... It's a feature

And I agree with that 100%. This stuff is made for a target demographic that values ease and convenience above all else. You cannot blame Amazon for giving their primary customer base for this device what they want.

I've had to assist in activating early Alexa devices, and it was not a simple proposition. I'm sure that quite a few were returned as a result, and that's the last thing any manufacturer/seller of a device promoted on providing convenience wants.

 

[digitalgriffin]

And as an editiorial, and entirely personal, side opinion, worrying about one's WiFi password being exchanged between dedicated Amazon devices pales in comparison to being constantly on a several minute audio collection loop inside the home in whatever rooms these devices are located in (or can "hear" from).

I have a friend who's blind who absolutely adores her Alexa units (a regular and two dots, I think, maybe only one dot) and in her case I can see why.

For myself, I don't use a single solitary voice recognition controlled device that interacts with the internet and never will. I shackled Cortana down to basic "old Windows search" on my first day of Windows 10 use in 2015. I just find the whole idea creepy because of what has to be done behind the scenes to implement the convenience that even I will not deny these devices provide. It's not worth the trade-off for me.

I conditionally agree with you. But I Wireshark tapped my network to track Alexa traffic. Amazon stays true to their word and does not send data unless you use the magic word. (I have seen updates download however.)

This doesn't mean your device can't be hacked or accessed through a back door. But for now I can give them a conditional green light. The first thing we did was shut off the camera with the shutter. The wifi password sharing though is still a big no-no in my book and I'm following up with Amazon over this.

There are benefits to these devices including learning apps and bedtime stories. It all depends on what kind of information you are willing to surrender. Alexa can't track my personal details via web cookies and such. And we don't give her access to email, calendars or contacts. It's pretty awesome to have down in the kitchen to cook (recipe) or clean (music)

 

[AllanGH]

Recipes, music, audio books, the occasional video, Wikipedia lookups, traffic conditions between here and Los Angeles for the morning commute, alarms, timers, appointment reminders...all of these things can be made relatively sanitary by using a secondary AMZ account which is completely separate from your primary AMZ account. "Call me Bob."

Running two separate networks, with two different public-facing IP addys, makes for more control over what risk factors you expose your computer systems to, as well: A fiber optic network for computing systems and security needs (AllanNet); and the cable (slower) network for the Echo, Google Home, and IoT devices, along with WiFi risk factors (BobNet). Honestly, the extra $45.00 per month is a trivial outlay, all things considered, and nearly every cable ISP has a cheap, Internet access only, package available.

Should one system experience a full or partial outage, the other will usually be available...unless we have Kaiju romping through the neighborhood, that is.

 

[NightHawkRMX]

Crud. My gogle home uses torx screws.

Already stripped 3 of 4.