Based on your previous coverage of similar topics, we thought you may be interested in this recently discovered voice activation device hack, and a new technique we call Voice-Command SQL Injection.
Here are the highlights:
- Hacker uses a voice-command SQL injection methodology to extract unauthorized data from the application database- including the admin account.
- This is done on an Alexa device but could be performed on any voice-activated digital assistant.
- This could mean that users of virtual assistant skills/applications could be exposed to new attacks.
- The outcome: The tried and true SQL injection attack has is now voice-enabled.
Write-up:
Picture this, your bank account was hacked. While not new news, what if it was hacked using simply voice and Alexa? Pretty scary, right?
We all know that not all web applications are created equal, as each one has different levels of security measures in place to protect the information or data, as well as application access. Unfortunately, the average user of the application has very little knowledge as to the security of each application, whether it be their financial, retail, utility, fitness applications, etc.
Luckily, there are regulatory requirements surrounding security measures for applications in certain industries like FinServe (FINRA), Healthcare (HIPAA), and Retail (PCI-DSS), but what about other industries not impacted by regulatory compliance? Or even within those, how have security protocols evolved to protect the applications and skills when applied to new channels, like Alexa, Google Assist, Cortana, Siri, etc.
In fact, now it is easier than ever for hackers to perform such hacks into a variety of applications, just using their voice. Leveraging voice-command SQL injection techniques, hackers can give simple commands utilizing voice text translations to gain access to applications and breach sensitive account information.
To illustrate the vulnerability and create greater awareness, Protego’s Head of Security and Ethical Hacker, Tal Melamed illustrates how a simple SQL Injection can be executed through a verbal command in order to gain unauthorized access to sensitive account data. This demo will show how, in this instance, Alexa, can be exploited in an unprotected application or skill, by translating words and numbers.
Tal will illustrate how easy it is to gain unauthorized access through Alexa to unsecured applications, by verbally providing simple account numbers and text. Since Tal is an ethical hacker, he will be using an application and SQL database he built himself, but in reality, it could be any application that requires an account number or text as a unique identifier.
