Amazon.com Echo and Kindle devices were discovered last year to contain WPA/WPA2 protocol vulnerabilities that could potentially allow malicious actors to uncover keychains used to encrypt Wi-Fi traffic.
The vulnerabilities, CVE-2017-13077 and CVE-2017-13078, are prone to Key Reinstallation Attacks (aka KRACK attacks), and were disclosed back in 2017 by a pair of Belgian researchers. In essence, they allow actors to reinstall an already-in-use key and replay cryptographic handshake messages, ultimately helping them decipher the full keychain.
CVE-2017-13077 enables the reinstallation of the pairwise encryption key a four-way handshake, while CVE-2017-13078 allows reinstallation of the group key (GTK) in a handshake. Such attacks are only effective, however, if the attacker and victim devices are in range of the same Wi-Fi radio network.
In a company blog post released today, cybersecurity firm ESET revealed that in 2018, researchers from its Smart Home Research Team tested the first-generation Amazon Echo smart speaker and eighth-generation Kindle e-reader for the two KRACK vulnerabilities, and found them to be susceptible.
ESET reportedly informed Amazon of the vulnerabilities in October of 2018, and by early 2019 had Amazon subsequently released a corrective firmware update for both products, tens of millions of which have been sold. ESET encouraged owners of all Echos and Kindles to verify that they are using the most up-to-date version of the firmware, which is immune to exploitation of the two aforementioned KRACK vulnerabilities.
“Customer trust is important to us and we take the security of our devices seriously,” said an Amazon spokesperson to SC Media. “Customers received automatic security updates addressing this issue for their devices.”
ESET malware researcher Miloš Čermák, who authored the report, said in the blog post that the vulnerabilities are significant because they could enable attackers to execute denial of service attacks and disrupt network communications; decrypt transmitted data; create, dismiss and inject new packets; and intercept passwords and session cookies.