A range of alarming flaws affected Amazon’s cloud-based virtual-assistant service Alexa, security researchers have discovered.
The flaws made it possible for cyber crooks to change Alexa skills, listen to Alexa voice recordings and gain access to user personal data.
- Best VPN: add a layer of extra security thanks to a virtual private network
- Get the strongest online security with our best antivirus guide
- Just in: Hackers exploiting global pandemic with these scary internet attacks
Identified by security-software firm Check Point, these vulnerabilities affected specific subdomains used by Amazon and Alexa. The flaws existed on Amazon's servers, not on Amazon Echo devices or other Alexa-enabled devices.
Check Point warned that there were "a few different ways" that these flaws could have been exploited.
One way would have been to create a malicious page on the Amazon.com or Alexa.com domains and then distribute a link to that page for victims to click. The malicious page would have captured a specific type of authorization token, which then would have granted the attacker access to the victim's Alexa account.
From there, Check Point said, the attacker could have deleted an installed Alexa app and replaced it with a malicious app of the same name. The malicious app would execute when the victim next called for it using an Alexa device.
“The attack only required a single click by the user on a malicious link crafted and sent by the hacker, and voice interaction by the victim,” warned the security firm in a press release.
Alexa is one of the world’s most popular AI assistants, boasting tens of millions of users across the world. People use the service for listening to music, managing their calendar, operating smart home products and other reasons.
However, with such a large user base and treasure trove of voice data, Check Point warned that Alexa has become an “attractive target for hackers”.
Oded Vanunu, head of products vulnerabilities research at Check Point, said: “Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes.
“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”
Different malicious actions
By distributing links that look like they were created by Amazon and led to a malicious page on the Amazon.com or Alexa.com domains, but were created by attackers, users could be easily convinced to click on them. This would allow hackers to perform myriad malicious actions.
Check Point said hackers could do things like:
- Access a victim’s personal information, such as banking data history, usernames, phone numbers and home address
- Extract and listen to a victim’s voice history with their Alexa
- Silently install Alexa skills (apps) on a user’s Alexa account
- View the entire skill list of an Alexa user’s account
- Silently remove an installed skill to stop it working
Check Point has since reported the vulnerabilities to Amazon, and they have now been fixed.
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy," Check Point said. "Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains.
Shortly after this story was originally published, Amazon reached out to Tom's Guide with the following statement to confirm the vulnerability was fixed.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," said an Amazon spokesperson over email. "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
- Read more: Discover the very best Amazon deals you can get right now