Last week, IoT security was in the spotlight again as researchers warned that Amazon’s Alexa is vulnerable to malicious third-party apps, or “skills”, that could leave owners at risk of a wide range of cyberattacks.
Researchers analysed 90,194 unique skills from Amazon’s skill stores across seven countries, and found widespread security issues that could lead to phishing attacks or the ability to trick Alexa users into revealing sensitive information.
For instance, developers can register skills that fraudulently use well-known company names, and leverage these fake brand names to send out phishing emails that link to the skill’s Amazon store webpage. Attackers can also make code changes after their skills have been approved by Amazon, opening the door for various malicious configurations.
Alan Grau, VP, IoT & Embedded Solutions, at Sectigo, comments:
“Continued innovation in the Internet of Things technology has propelled us into the Fourth Industrial Revolution and is undoubtedly valuable for consumers and businesses alike.
However, as this research into Alexa’s vulnerabilities has shown, we can’t be oblivious to the security risks that go hand-in-hand with introducing such a large number of devices into the ecosystem. Left unchecked, this presents a huge security risk. While there are many potential threats to IoT devices, a common thread in IoT security weakness is the lack of strong authentication.
As attack vectors continue to evolve, it is increasingly critical that organizations embrace security solutions that ensure the integrity and security of their IoT systems. Best-practices for IoT device security include strong authentication and secure software updates – ensuring only authentic code can be installed on the device. For a complex system such as Alexa’s Skills that involve the Alexa platform, third-party apps and third-party cloud services – a comprehensive approach to ensuring the security of the ecosystem is essential.”