Users of Amazon's Echo speakers and Kindle e-readers worldwide have been put at risk by vulnerabilities that cyber attackers can exploit to intercept the devices' online signals as a first step towards using them as surveillance tools, says Slovakian cyber security firm ESET.
The first generation of Echo speakers, an Internet of Things (IoT) device which records users' voices to run tasks, and the eighth generation of the Kindle e-reader have been found to be vulnerable.
Amazon has since released firmware updates to patch these vulnerabilities.
At a press event in Slovakia on Tuesday, ESET said these devices were discovered to be vulnerable to Key Reinstallation Attacks (Krack) in October last year.
Krack, first reported in 2017, exploits weaknesses in the WPA2 protocol, which is a common authentication method in devices that use Wi-Fi. This attack method allows bad actors to bypass network encryption and monitor the network of users.
When Krack was first announced, the Singapore Computer Emergency Response Team said it could affect the data confidentiality of users' Wi-Fi connectivity in homes and offices. It also said that attackers could use these vulnerabilities to monitor, inject and manipulate users' network traffic.
In a press release yesterday, ESET said the vulnerabilities are severe, as they could allow attackers to inflict damage - including denial-of-service attacks, decryption of data transmitted by victims and interception of sensitive information such as passwords.
ESET researcher Milos Cermak said: "In recent years, hundreds of millions of homes have become smarter and Internet-enabled via one of the many popular home assistant devices available on the market.
"Despite the efforts of some vendors to develop these devices with security in mind, these often remain vulnerable."
Number of attacks on IoT devices detected in the first six months of the year by Russian cyber-security firm Kaspersky. These came from 276,000 unique IP addresses. This is about nine times more than the number detected in the first six months of last year - around 12 million attacks, originating from 69,000 IP addresses.
ESET said it had reported all identified vulnerabilities in Echo and Kindle to Amazon, and subsequently assisted Amazon's security team while they fixed the issues.
Despite queries from The Straits Times, Amazon did not give details about any vulnerabilities in its devices, the affected users or if they will receive any compensation.
But a spokesman for Amazon said: "Customer trust is important to us and we take the security of our devices seriously. Customers received automatic security updates addressing this issue for their devices."
The spokesman added that the company has teams dedicated to ensuring the safety and security of its products, and that they have taken measures to make Echo secure.
Such measures include disallowing third-party application installation on Amazon devices, security reviews, and the encryption of communication between its devices, apps and servers, said the spokesman.
The security of IoT devices has come under the national and international spotlight in recent weeks.
It was reported earlier this month that Singapore's Cyber Security Agency and its Dutch counterpart - the Ministry of Economic Affairs and Climate Policy of the Netherlands - concluded that government bodies around the world need to play a more active role in tightening legislation and form a universal certification regime to improve the security of IoT devices.
These were among several recommendations in a joint study titled The IoT Security Landscape, which both agencies released on Oct 2 after studying the threat landscape for about a year.
And on Wednesday, Russian cyber-security firm Kaspersky said that it had detected 105 million attacks on IoT devices coming from 276,000 unique Internet Protocol (IP) addresses in the first six months of the year.
This is about nine times more than the number in the first six months of last year, when around 12 million attacks were spotted originating from 69,000 IP addresses.
Mr K. K. Lim, head of cyber security, privacy and data protection at law firm Eversheds Harry Elias, said security in many devices is often not prioritised, thus giving rise to the vulnerabilities to which Amazon's devices were exposed.
"Unless the device involves safety or safety plays a huge role, like devices embedded in cars, the focus is usually on the ease of use for the end customer, speed to market and cost of manufacturing, and security of the device itself is not the focus," he said.