“Alexa, is a hacker listening to everything I say to you?”
According to a new report, they could have been.
Cybersecurity firm Check Point just published its latest research on Amazon’s virtual assistant Alexa. The report details major vulnerabilities that allowed researchers to access Alexa accounts and, in turn, personal data. Amazon says the issue has been fixed, and that it isn't aware of any cases of the vulnerability being used against its customers.
“Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting,” reads the report. “Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.”
Translation: The flaws allowed malicious actors to install and delete skills — anything from legitimate news apps to malicious skills developed by the hackers to steal your info — on your Alexa account and obtain your personal information through those skills. What kind of personal information? Anything, really.
Amazon has since rolled out a fix to this vulnerability after Check Point reported the issue to the e-commerce giant.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," said an Amazon spokesperson in a statement. "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
As Check Point notes, Amazon doesn’t store sensitive financial information such as banking logins, but all of your voice actions are recorded. And, guess what... hackers could’ve also accessed your Alexa voice history through these vulnerabilities, too. By default, the virtual assistant basically records and archives everything you say when an Alexa-enabled device is activated. That means your accessible personal information can extend to anything you told Alexa, or anything you've said at all when Alexa was on. Home addresses, usernames, phone numbers, you name it — all accessible.
Earlier this year at CES 2020, Amazon announced that Alexa powers “hundreds of millions” of devices, including the company’s Echo speakers, Fire tablets, and streaming devices, not to mention third-party products that enable the virtual assistant.
That’s hundreds of millions of potential targets for hackers.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” said Check Point Head of Products Vulnerabilities Research Oded Vanunu in a statement. “But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations, or conduct other malicious actions without the owner being aware.”
Security researchers have long warned tech companies and consumers about the security flaws concerning virtual assistants like Alexa. In October of last year, white hat hackers in Germany found that Google and Amazon had both approved apps for Alexa and Google Home that would eavesdrop on its users. Amazon has also faced scrutiny for previously providing access to those Alexa recordings to some of its employees.
“Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices,” said Vanunu, referring to “Internet of Things” devices that use the virtual assistant to control everyday household items and appliances like thermostats and lights. “It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”
UPDATE: Aug. 14, 2020, 10:09 a.m. EDT This story has been updated with a statement from Amazon and to further reflect the fact that the company has fixed the problem.
Topics Alexa Amazon Cybersecurity
