Vulnerability Management

Apps vulnerable to SQL injection by way of virtual assistant verbal commands

Malicious hackers can use verbal commands to perform SQL injections on web-based applications run by virtual assistants such as Amazon's Alexa, researchers say.

"Leveraging voice-command SQL injection techniques, hackers can give simple commands utilizing voice text translations to gain access to applications and breach sensitive account information," reports Baltimore, Maryland-based Protego Labs, in a blog post this morning. (Protego shared a copy of the post with SC Media in advance of publication.)

The flaw that enables voice-based attacks doesn't lie within Alexa or, for that matter, Google Assist, Cortana, Siri and similar technologies. Rather, the problem are the apps themselves, Protego explains. According to the blog post, an application can be attacked via voice-based SQL injection if three conditions are met: the Alexa function/skill is using SQL as a database, the Alexa function/skill is to vulnerable to SQL injection, and one of the vulnerable SQL queries includes an integer value as a component of the query.

The company has also released a video demonstration of such an attack, performed by Protego Head of Security and Ethical Hacker Tal Melamed. In the demo, Melamed uses merely account numbers and text to gain access to a sample online banking application and SQL database that he built himself for research purposes.

First, Melamed attempts to access an admin account he is not privileged to view. Alexa then denies his request for access after he enters his name identification and account ID. But then Melamed is able to bypass the security measure by verbalizing a random number and then adding "or/true," which allows him to access any line in the database.

"If additional application security measures were in place, whether hosted in serverless or other cloud infrastructure, Alexa wouldn’t be able to access any secure data, even when attempting an SQL injection such as this," the blog post concludes.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.