Check Point Research, the threat intelligence arm of Check Point, has identified vulnerabilities in certain Amazon/Alexa subdomains that would have enabled an attacker to remove or install skills on the target’s Alexa account, and access their voice history and personal data.
The attack required a single click by the user on a malicious link crafted by the hacker and voice interaction by the victim.
More than 200 million Alexa units have been sold globally, and the devices are capable of voice interaction, setting alerts, music playback, and controlling smart devices in a home automation system.
In addition, users can extend Alexa’s capabilities by installing ‘skills.’ which are voice-driven apps. And because there is personal information stored in users’ Alexa accounts and the devices are used as home automation controllers, they are compelling targets for bad actors.
It’s these mega digital platforms that can hurt us the most.
Oded Vanunu, Check Point Research
Researchers from Check Point illustrated how the vulnerabilities they found in certain subdomains could be exploited by crafting and sending a malicious link to the intended victim, which appears to come from Amazon. If the target clicks the link, the attacker can then access the victim’s personal information, such as banking data history, usernames, phone numbers and home address.
In addition, the attacker would be able to extract a victim’s voice history with their device, silently install skills (apps) on a user’s Alexa account, view the entire skill list of an Alexa user’s account and silently remove an installed skill.
Oded Vanunu, head of Products Vulnerabilities Research at Check Point, says smart speakers and virtual assistants are so popular that it’s easy to overlook the vast amount of personal data they contain, as well as their role in controlling other smart devices in users’ homes.
“Hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” he adds.
Check Point conducted this research, Vanunu says, to showcase how securing these devices is critical to maintaining users’ privacy. “Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy.”
He says previously, Check Point conducted research on TikTok, WhatsApp and Fortnite. “Alexa has concerned us for a while now, given its ubiquity and connection to IOT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”
Amazon fixed this issue soon after it was reported.
For details of the vulnerabilities and a video showing how they could have been exploited, visit https://research.checkpoint.com
Share