Amazon Fixed A Nasty Alexa Bug That Could Expose Your Voice History, Skills And Private Data
Security researchers recently discovered multiple vulnerabilities within certain Amazon domains that could have allowed an attacker to access sensitive Alexa data, including voice histories and personal data, before they were fixed. A hacker would have also been able to install and remove skills from a targeted Alexa-enabled device, of which over 200 million have been sold globally.
As if that is not concerning enough, the attack only required a single click by a user on a malicious link crafted by the hacker, and voice interaction by the victim, according to security researchers at Check Point. At that point, the hacker(s) would be able to access the target's personal information, including their banking data history, username, phone number, and home address.
Check Point rightfully notes that it is easy to become lax about these sort of things, because of how commonplace smart speakers and other smart devices have become. But it is a mistake to overlook the potential for hackers to do harm. Hackers aren't, as they seem them as handy entry points into people's lives, Check Point says.
Fortunately, Amazon was quick to address the vulnerabilities after it was made aware of them. It is still concerning that they existed in the first place, but at least Amazon's response to the situation was swift.
"We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy," Check Point said.
Check Point posted the technical details of the vulnerabilities, after they had been addressed by Amazon. it's not clear if any hackers actually leveraged the flaws, or if Check Point was the first to discover them.