Security researchers have identified an exploit in Amazon’s Alexa voice platform. When exploited, Check Point Research says that the flaw could have given attackers access to users’ personal information. These include users’ Amazon account details as well as speech histories.
The researchers identified the vulnerability while conducting tests with the Alexa smartphone app. They used a script to bypass the mechanism implemented for protecting the app's traffic, which allowed them to view it in clear text. They found that several requests made by the app had a misconfigured policy, which could be potentially bypassed to send requests from a domain controlled by a malicious party.
In the real world, a bad actor would have been able to convince an unsuspecting user to click on a malicious link to Amazon that actually holds code-injection capabilities. Once clicked, the attacker would be able to get hold of the users’ list of apps and skills installed on Alexa. They would also be able to remotely install and enable new skills for the victim. More serious attackers could also get hold of users’ speech histories as well as personal information from their Alexa account.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point is quoted as saying in a press release:
Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.
Vanunu adds that the research firm highlighted the flaw to Amazon back in June, and it responded by fixing it. “We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains,” he said.