Cybersecurity researchers from CheckPoint have identified a security flaw in Amazon Alexa, which could have allowed attackers to install and remove apps, listen to voice records, and steal the personal information of users. Additionally, attackers could have effectively executed this without leaving a trace.
CheckPoint researchers identified the flaw and reported it to Amazon before any confirmed cases of this flaw being exploited in the wild. Considering IoT devices have become an integral part of many modern homes, this flaw, if exploited, could allow attackers to record personal conversations and data of the users, compromising their security completely.
Attackers would build a customized, specially crafted Amazon link, and send it to the targeted users through phishing. Once the link is clicked, the attackers would have access to the list of apps and skills on the Alexa device.
Additionally, attackers can also gain access to the authorization token, which would allow them to add and remove skills or apps as per their preference.
Hackers could simply remove a skill, and replace it with a malicious phrase, thus compromising the device. After that, when the user speaks to the device to initiate that skill, it will actually kick start the hackers malicious phrase. On top of this, users would have no way of knowing their device is compromised and would continue using Alexa.
For instance, users may continue to converse about their banking details, healthcare records, and more, which would all be recorded by attackers.
Professor Alan Woodward from the University of Surrey mentioned that Amazon is cautious about the skills available in Alexa's skill store, as any loopholes could compromise their AI and affect their reputation. Amazon usually runs proper security reviews before approving and publishing skills in the store.
This security flaw is well-known and rather surprising given that Amazon's security team didn't detect this one. Luckily, CheckPoint researchers where the first known entity to identify this flaw, but it could have just as soon been discovered first by malicious actors.
Amazon has already fixed this security flaw, and users are now safe from these threats. Most Amazon devices will self-update. If, however, you are manually updating your Amazon devices, ensure your virtual assistants are up to date to maintain your privacy and secure your data.
