Cyber security company, Check Point, has discovered some serious security flaws on Amazon’s Alexa. According to their report which was submitted to Amazon, potential hackers can install and remove essential apps from the Alexa devices by using malicious Amazon link without the owner knowing. With just one click, an attacker can access the victim’s voice history, as well as his personal data, sensitive banking information, home address and usernames. The security issue has been fixed by the tech giant.
BBC News: Amazon Alexa security bug allowed access to voice history
Based on the report from BBC News, Check Point said the hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user.
Once they clicked the link, the attacker could get a list of all installed Alexa “skills” – or apps – and steal a token allowing them add or remove skills.
One way to use the flaw would be to remove a skill and then install a malicious one that uses the same “invocation phrase” – the series of spoken words used to trigger it. This could have been done without the user knowing.
The next time the user tried to activate that skill, it would have run the attacker’s app instead.
The attackers would have been able to see Alexa’s voice history – a record of conversations between the user and device.
Check Point said this could create major problems, pointing to banking skills that let the user check their account balance.
“This could lead to exposure of personal information, such as banking data history,” they argued – even though it does not save banking login details.
FOX News: Amazon’s Alexa had serious privacy flaws, researchers say
Fox News recounts one scenario described by Check Point wherein an Alexa user clicks on a malicious link, then the attacker gets a list of all installed apps on the Alexa account. The attacker then deletes one or more of the apps and subsequently installs an app with the same “invocation phrase,” such as “get” or “search,” as the deleted app. Then, when the user tries to use the phrase again, they will trigger the app, which gives the hacker the ability to perform actions on Alexa.
Check Point said it reported the vulnerabilities to Amazon in June 2020 and the tech giant has subsequently fixed the issue.