Faizel Patel – 13/08/2020
Check Point Research recently identified security vulnerabilities in certain Amazon/Alexa subdomains that would have allowed a hacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and personal data.
The attack required a single click by the user on a malicious link crafted by the hacker and voice interaction by the victim.
With over 200 million sold globally, Alexa is capable of voice interaction, setting alerts, music playback, and controlling smart devices in a home automation system.
While users can extend Alexa’s capabilities by installing ‘skills.’ which are voice-driven apps, the personal information stored in users’ Alexa accounts and the device’s use as a home automation controller makes them an attractive target for hackers.
Check Point researchers demonstrated how the vulnerabilities they found in certain Amazon/Alexa subdomains could be exploited by a hacker crafting and sending a malicious link to a target user, which appears to come from Amazon.
If the user clicks the link, the attacker can then access a victim’s personal information, such as banking data history, usernames, phone numbers and home address, extract a victim’s voice history with their Alexa, silently install skills (apps) on a user’s Alexa account among other information.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point says the company conducted this research to highlight how securing these devices is critical to maintaining users’ privacy.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”
Vanunu says while Amazon has responded swiftly to close off these vulnerabilities on certain Amazon/Alexa subdomains, he hopes manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy.
Check Point has also conducted research on Tiktok, WhatsApp and Fortnite.
Amazon has since fixed this issue soon after it was reported.
0 Comments