Flaws in Amazon’s Alexa were serious enough that a user “in just one-click” could have handed over their voice history, home address and control of their Alexa account, cybersecurity firm Check Point said in a recent report.
An attacker could have also silently installed, viewed and removed Alexa skills, Check Point said, referring to voice-driven Alexa apps. A hacker could have also accessed a victim’s personal information, such as banking data history and usernames.
“Given Alexa’s popularity and ubiquity, Check Point researchers began to speculate that the AI assistant device is an ‘entry point’ for hackers into a person’s household,” the cybersecurity company said in the report.
More than 200 million devices worldwide have shipped with Alexa, according to CNet.
In one scenario described by Check Point, an Alexa user clicks on a malicious link, then the attacker gets a list of all installed apps on the Alexa account. The attacker then deletes one or more of the apps and subsequently installs an app with the same “invocation phrase,” such as “get” or “search,” as the deleted app. Then, when the user tries to use the phrase again, they will trigger the app, which gives the hacker the ability to perform actions on Alexa.
Check Point said it reported the vulnerabilities to Amazon in June 2020 and the tech giant has subsequently fixed the issue.
“What we do know is that Alexa had a significant period of time where it was vulnerable to hackers,” Check Point spokesperson Ekram Ahmed told Fox News. “Up until Amazon patched, it’s possible that personal and sensitive information was extracted by hackers via Alexa. Check Point does not know the answer to whether that occurred yet or not, or to the degree to which that happened.”
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us. We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed,” an Amazon spokesperson told Fox News.
It is not possible for someone to gain access to banking information via the user’s Alexa voice history, a person familiar with the voice assistant told Fox News. That information is redacted in Alexa’s responses. This would not have enabled the ability to “take over” the device, the person said.
Amazon also has systems in place to prevent the publication of malicious skills in its Skills Store, the person said, adding that any offending skills that are identified are blocked during certification or quickly deactivated.
Check Point said it conducted the research to underscore how securing Alexa devices is critical to maintaining users’ privacy.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, told Fox News in a statement.
“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” Vanunu added.
Some precautionary measures users can take include not installing unfamiliar apps on your smart speaker and being careful what sensitive information you share with your smart speakers such as passwords and bank account information, Check Point said.