Hometechnology News

Vulnerabilities in Alexa allowed hackers to access users' personal info, voice history

Vulnerabilities in Alexa allowed hackers to access users' personal info, voice history

Vulnerabilities in Alexa allowed hackers to access users' personal info, voice history
Profile image

By Megha Vishwanath  Aug 13, 2020 5:36:01 PM IST (Published)

Researchers demonstrate how hackers could remove/install skills on a victim’s Alexa account, access voice histories, and personal information.

Security vulnerabilities in a few of Amazon's Alexa subdomains allowed hackers to remove or install skills on the targeted victim’s Alexa account, access their voice history and personal data, research by cyber security firm Check Point revealed.

Recommended Articles

View All

Amazon fixed this issue soon after it was reported, Check Point said.
The attack required a single click by the user on a malicious link crafted by the hacker and voice interaction by the victim.
Amazon's Echo smart speakers, which has sold over 200 million units globally, are powered by Alexa, which is capable of voice interaction, setting alerts, music playback, and controlling smart devices in a home automation system.
Users can extend Alexa’s capabilities by installing ‘skills’, which are voice-driven apps.
However, the personal information stored in users’ Alexa accounts and the device’s use as a home automation controller makes them an attractive target for hackers.
Check Point said its researchers demonstrated how the vulnerabilities they found in certain Amazon/Alexa subdomains could be exploited by a hacker crafting and sending a malicious link to a target user, which appears to come from Amazon.  If the user clicks the link, the attacker can then:
  • Access a victim’s personal information, such as banking data history, usernames, phone numbers and home address
  • Extract a victim’s voice history with their Alexa
  • Silently install skills (apps) on a user’s Alexa account
  • View the entire skill list of an Alexa user’s account
  • Silently remove an installed skill
  • "Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes," said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point.
    "But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware," he added.
    Vanunu said that the research was conducted to highlight how "securing these devices is critical to maintaining users’ privacy".
    "Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy," he said.
    Check Point has previously conducted research on TikTok, WhatsApp and Fortnite.
    "Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance," Vanunu said.
    Check out our in-depth Market Coverage, Business News & get real-time Stock Market Updates on CNBC-TV18. Also, Watch our channels CNBC-TV18, CNBC Awaaz and CNBC Bajar Live on-the-go!