Researchers have discovered vulnerabilities in Amazon’s digital assistant, Alexa.
In a report published Thursday, researchers from Check Point said they found that attackers could exploit a flaw in Amazon’s Alexa that could enable them to extract personal information.
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” wrote Oded Vanunu, head of products vulnerabilities research at Check Point. “Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”
Requires just one click of a malicious link
The team said they found several web application flaws on Alexa-related subdomains, including Cross-Origin Resource Sharing (CORS) and Cross-Site Scripting (XSS).
The presence of these vulnerabilities could enable attackers to access personal information like home addresses or banking data, remotely install or remove skills on a user’s Alexa account, or extract the victim’s voice history.
“Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker,” said Dikla Barda, of Checkpoint Research, who helped discover the vulnerabilities.
The team noted that Amazon doesn’t record users’ banking login credentials, but that information could be extracted via recorded interactions with the smart assistant.
“Since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” said researchers. “We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.”
Prime targets to attackers
Given how many consumers use virtual assistants, Check Point said these devices are “attractive targets to attackers looking to steal private and sensitive information, or to disrupt an individual’s smart home environment.”
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Vanunu said. “But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”
These devices “must be kept secured at all times to keep hackers from infiltrating our smart homes,” the researchers added.