BRATISLAVA - Users of Amazon's Echo speakers and Kindle readers in Singapore and around the world have been put at risk by vulnerabilities that cyber attackers can exploit to intercept the online signals of these devices and take the first step in using them as surveillance tools, said Slovakian cyber-security firm ESET.
The first generation of Echo speakers, an Internet of Things (IoT) device which records user voices to run tasks, and the eighth generation of the Kindle e-reader were found to be vulnerable to this attack.
Amazon has since released firmware updates to patch these vulnerabilities.
At an exclusive press event on Tuesday (Oct 15) in Slovakia, ESET said these devices were discovered to be vulnerable to Key Reinstallation Attacks (Krack) in October last year.
Krack, first reported in 2017, exploits weaknesses in the WPA2 protocol, which is a common authentication method in devices that use Wi-Fi. This attack method allows bad actors to bypass network encryption and monitor the network of users.
When Krack was first announced, the Singapore Computer Emergency Response Team said it could affect the data confidentiality of users' Wi-Fi connectivity in homes and offices. It also said that attackers could use these vulnerabilities to monitor, inject and manipulate users' network traffic.
In a press statement on Thursday, ESET said the vulnerabilities are "quite severe" as they could allow attackers to do a range of damage, including a denial-of-service attack, decrypt data or information transmitted by the victims and intercept sensitive information such as passwords.
ESET researcher Miloš ČCermák said: "In recent years, hundreds of millions of homes have become smarter and Internet-enabled via one of the many popular home assistant devices available on the market.
"Despite the efforts of some vendors to develop these devices with security in mind, these often remain vulnerable."
ESET said it reported all identified vulnerabilities in Echo and Kindle to Amazon, and subsequently assisted Amazon's security team while they fixed the issues.
Despite queries from The Straits Times, Amazon did not give any details about any vulnerabilities found in its devices, the affected users or if they will be given any kind of compensation.
But a spokesman said: "Customer trust is important to us and we take the security of our devices seriously. Customers received automatic security updates addressing this issue for their devices."
The spokesman added that the company has teams dedicated to ensuring the safety and security of its products and "have taken measures" to make Echo secure.
Such measures include disallowing third-party application installation on the Amazon devices, security reviews, and encryption of communication between its devices, apps and servers, said the spokesman.
The security of IoT devices has come under both the national and international spotlight in recent weeks.
It was reported earlier this month that Singapore's Cyber Security Agency (CSA) and its Dutch counterpart - the Ministry of Economic Affairs and Climate Policy - concluded that government bodies around the world need to play a more active role in tightening legislation and form a universal certification regime to improve the security of IoT devices.
These were among several recommendations highlighted in a 107-page joint study titled The IoT Security Landscape which both agencies released on Oct 2 after studying the threat landscape for about a year.
And on Wednesday, Russian cyber-security firm Kaspersky said that it has detected 105 million attacks on IoT devices coming from 276,000 unique IP addresses in the first six months of the year.
This figure is about nine times more than the number found in the first six months of last year, when only around 12 million attacks were spotted originating from 69,000 IP addresses.
Mr K. K. Lim, head of cyber security, privacy and data protection at law firm Eversheds Harry Elias, said more often than not, security in many devices in the market is not prioritised, which gives rise to the vulnerabilities that Amazon's devices were exposed to.
"Unless the device involves safety or safety plays a huge role like devices embedded in cars, the focus is usually on the ease of use for the end customer, speed to market and cost of manufacturing and security of the device itself is not the focus," he said.
Speaking to ST, ESET's head of threat research Jean-Ian Boutin said he and his team were "surprised" to discover the vulnerabilities in Amazon's devices, and said that Amazon might not have done proper testing.
"This crack in the vulnerability has been around for two years now. We would have thought that most devices will be protected from it," said Mr Boutin.
Mr Lim added that when purchasing an IoT device and deciding to use it, customers should consider the cyber-security risks they expose themselves too.
He said: "The customer should have a clear view why the IoT device itself is necessary and what functions or objectives you are trying to fulfil, and whether the security of the device is a necessary quality that you must demand for yourself."
Mr Bryan Tan, a lawyer from Pinsent Masons MPillay specialising in technology law and data protection, echoed Mr Lim’s view, and added that consumers should be given choices to pick the security they want.
He said: “This allows consumers to balance convenience against cost. Of course, consumer education is also required to help them make the appropriate choices for the security of their IoT devices.”