LAS VEGAS (KLAS) — A cybersecurity solutions company, Check Point, released a report that shows how it identified security vulnerabilities in certain Amazon Alexa virtual assistant subdomains that would have allowed a hacker to remove or install skills on the targeted victim’s Alexa account, access their voice history and personal data.
The personal information stored in users’ Alexa accounts and the devices for use as a home automation controller makes them an attractive target for hackers.
Many recall, last December, an eerie video of a hacker speaking to an 8-year-old girl through a Ring camera went viral. It brought to light the security concerns with IoT devices.
This new security vulnerability would have come in the form of a hacker crafting and sending a malicious link to a target user, which appears to come from Amazon, according to Check Point’s research.
Check Point researchers demonstrated how the vulnerabilities they found in certain Amazon Alexa subdomains could be exploited by a hacker crafting and sending a malicious link to a target user, which appears to come from Amazon. If the user clicks the link, the attacker can then:
- Access a victim’s personal information, such as banking data history, usernames, phone numbers, and home address
- Extract a victim’s voice history with their Alexa
- Silently install skills or apps on a user’s Alexa account
- View the entire skill list of an Alexa user’s account
- Silently remove an installed skill
Check Point released the following cybersecurity PSA on YouTube:
With over 200 million sold globally, Alexa is capable of voice interaction, setting alerts, music playback, and controlling smart devices in a home automation system.
Users can extend Alexa’s capabilities by installing ‘skills.’ which are voice-driven apps. However, the personal information stored in users’ Alexa accounts and the device’s use as a home automation controller makes them an attractive target for hackers.
Here are 3 safety tips issued by Check Point:
- Avoid unfamiliar apps: Don’t install unfamiliar apps on your smart speaker
- Think twice before sharing information: Be careful what sensitive information you share with your smart speaker, especially passwords or bank accounts.
- Read before you install an app: Note that nowadays anyone can create smart assistant apps, so read about the app before you install it and check what permissions it requires. Just remember that anyone can publish a ‘skill’ and that skills have capabilities to perform actions and get information.
Check Point Research provides cyber threat intelligence to Check Point Software customers and the greater intelligence community.
The research team collects and analyzes global cyber-attack data to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.
According to Check Point, if you own an Amazon Alexa device, no manual updating is needed at this time. Upon Check Point sharing the findings, Amazon fixed the security issues that were disclosed in the report.