New research from security software firm Check Point has detailed vulnerabilities in the Amazon Alexa service which could have exposed the private information of its users to hackers.
Amazon’s Alexa virtual assistant allows users to control their home’s smart devices through voice interaction. This lets them perform a wide variety of actions with compatible gadgets – such as set alerts, turn on lights, or play music.
Check Point identified bugs in the Amazon/Alexa subdomains that may have allowed a hacker to remove or install skills (apps) on an Alexa account to access their voice history and personal data.
For the hacker to gain access to this information, the targeted victim would have to click on a single malicious link crafted by the hacker and confirm the action with their voice.
Should the user click the link, the attacker would be able to:
- Access a victim’s personal information – including banking data history, usernames, phone numbers and home address.
- Extract a victim’s voice history with their Alexa.
- Silently install skills (apps) on a user’s Alexa account.
- View the entire skill list of an Alexa user’s account.
- Silently remove an installed skill.
Check Point provided the video below, which illustrates how the attack would have been carried out.
Amazon fixes bugs
Head of Products Vulnerabilities Research at Check Point Oded Vanunu said the company had been concerned about Alexa’s security, particularly given its ubiquity and connection to IoT devices.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Vanunu said.
“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” he warned.
Fortunately, Amazon responded quickly to Check Point’s disclosure of the flaws and closed off the vulnerabilities on certain Amazon/Alexa subdomains, Vanunu said.
“We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy,” Vanunu added.