Just what we need, another attack vector- Voice-Command SQL Injection
Not all web applications are created equal, as each one has different levels of application security measures in place to protect the information or data, as well as access. Unfortunately, the average user of the application has very little knowledge as to the security of each application, whether it be their financial, retail, utility, fitness applications, etc.
Luckily, there are regulatory requirements surrounding security measures for applications in certain industries like FinServe (FINRA), Healthcare (HIPAA), and Retail (PCI-DSS), but what about other industries not impacted by regulatory compliance? Or even within those, how have security protocols evolved to protect the applications and skills when applied to new channels, like Alexa, Google Assist, Cortana, Siri, etc.
In fact, now it is easier than ever for hackers to perform such hacks into a variety of applications, just using their voice. Leveraging voice-command SQL injection techniques, hackers can give simple commands utilizing voice text translations to gain access to applications and breach sensitive account information.
To illustrate the vulnerability and create greater awareness, Protego’s Head of Security and Ethical Hacker, Tal Melamed illustrates how a simple SQL Injection can be executed through a verbal command in order to gain unauthorized access to sensitive account data.
This demo will show how, in this instance, Alexa, can be exploited in an unprotected application or skill, by translating words and numbers. Tal will illustrate how easy it is to gain unauthorized access through Alexa to unsecured applications, by verbally providing simple account numbers and text. Since Tal is an ethical hacker, he will be using an application and SQL database he built himself, but in reality, it could be any application that requires an account number or text as a unique identifier.
The demo highlights the following:
- Tal will try to access an admin account that he is unauthorized to access according to name identification and account ID.
- Alexa will at first deny his request
- Tal will then bypass this denial by calling a random number with syntax that would trigger the SQL.
- When asked for an account ID he simply says a random number and adds “or/true” which grants him access to any line in the database
- Alexa then provides Tal with the balance information of the unauthorized Admin account
It is important to note that this demo is not highlighting a vulnerability with Alexa, rather, the actual applications using Alexa. When dealing with sensitive data, proper security solutions must be applied to protect the application from all fronts and prevent data and other malicious attacks from all channels, including virtual digital assistants. The actual application or skill being interacted with is the vulnerability and requires additional security protocols and measures to protect it from Verbal Command SQL Injections.
In environments where there is no true perimeter around the applications themselves, security teams need to work with developers on building security around the code itself. If additional application security measures were in place, whether hosted in serverless or other cloud-infrastructure, Alexa wouldn’t be able to access any secure data, even when attempting an SQL injection such as this.