According to cyber-security experts, a bug in Amazon’s Alexa smart home devices may have given hackers access to personal information and conversation history.
According to Check Point Research, attackers may install or uninstall apps on a computer without the owner’s knowledge.
According to the report, the hack “needed only one click on an Amazon connection” created by the intruder.
The company informed Amazon of the bug, which has since been patched.
It said it was unaware of any instances in which a bad actor had exploited the flaw to attack its customers.
Amazon said in January that there were “hundreds of millions” of Alexa devices in use around the world.
Malicious abilities
According to “Check Point”, the hack necessitated the development of a malicious Amazon connection that was sent to an unsuspecting customer.
The attacker might get a list of all installed Alexa “skills” – or applications – and steal a token that would allow them to add or remove skills after clicking the link.
One way to exploit the bug is to disable an ability and then replace it with a malicious one that uses the same “invocation expression” – the sequence of spoken words that activates it. It’s possible that this was achieved without the user’s knowledge.
When the user tried to activate the skill again, the attacker’s app was launched instead
The attackers would have had access to Alexa’s voice history, which is a record of the user’s interactions with the computer.
According to Check Point, this may cause major issues, citing banking skills that enable users to check their account balance.
“This could expose personal information, such as banking data history,” they said, despite the fact that it does not save banking login information.
Amazon, on the other hand, objected to this idea, claiming that banking information – such as balances – was redacted from the record of Alexa’s responses and therefore couldn’t be reached.
According to Check Point, the attack would also give attackers access to personal details in Amazon profiles, such as a home address.
Amazon also stated that it did not think the use of a hidden malicious ability was as likely as Check Point’s researchers said.
It said that mechanisms were in place to keep malicious skills from ever making it into the Alexa Skills Store and that security checks were part of the process.
Apps that were behaving badly were also deactivated on a regular basis, according to the study.
Prof Alan Woodward, a cyber-security expert at the University of Surrey, said, “Their scanning process would have probably detected most bad actors – they are very good at it and know their reputation is on the line.”
“What made this hack so fascinating was that it was triggered by a well-known bug… As a consequence, it’s surprising to see it in Amazon’s estate.”
He said access to voice records was a major concern, but he couldn’t say if other hackers were aware of the weaknesses in the subdomains used in the hack.
“However, if the security researchers had found it, I’m sure a lot less scrupulous people would have done the same.”
Leave a Reply