Older Amazon Echo and Kindle devices vulnerable to KRACK WiFi security flaw

A patch for the bug affecting Echo and Kindle devices was released by Amazon earlier this year

First-generation Amazon Echo devices and older Kindle e-readers are vulnerable to a WiFi security vulnerability from 2017, with users urged to update and patch their devices as soon as possible.

The KRACK WiFi vulnerability was first disclosed in 2017 was impacting millions of older Amazon devices in 2018, according to ESET Smart Home Research Team.

The bug was eventually patched by Amazon earlier this year, after ESET researchers informed the company about it in October 2018.

Dubbed KRACK (Key Reinstallation Attack), this vulnerability was discovered by two Belgian security researchers, Frank Piessens and Mathy Vanhoef, in October 2017. It existed in the four-way handshake of the WPA2 protocol, which secured almost all modern Wi-Fi networks at that time.

The researchers found that the bug enabled malicious actors to decrypt information being sent in plain text over WiFi networks.

According to the researchers, KRACK could allow hackers to carry out attacks against devices on a WPA2 protected network.

Last year, ESET researchers carried out some tests to evaluate the security of older Kindle and Echo devices and found that Amazon Echo (first-gen) and Amazon Kindle (eighth-gen) devices were still vulnerable to two KRACK vulnerabilities: CVE-2017-13078 and CVE-2017-13077.

The vulnerabilities allowed attackers to intercept sensitive details such as session cookies or passwords; forge or inject data packet; disrupt network communication; and much more.

Since tens of millions of Amazon Echo and Kindle devices have been sold in the US alone, this posed an extensive security risk.

ESET disclosed those vulnerabilities to Amazon on 23^rd October 2018. The company told ESET that it would examine those bugs and come up with patches, if required.

On 8^th January 2019, Amazon informed ESET that a patch for the vulnerabilities was ready and that the company would push it to vulnerable devices in the coming weeks.

The patch came in the form of a small programme, wpa_supplicant, which was responsible for authentication to the Wi-Fi network.

While most users of Amazon Echo and Amazon Kindle devices should have the latest firmware installed on their devices, ESET advises users to recheck their Echo and Kindle settings and ensure that they are definitely using the latest firmware for their devices.