What To Know
- A single click on a specially constructed malicious link and some verbal input from the victim were all that was needed to launch the attack.
- Check Point researchers showed how a hacker may exploit the flaws they discovered in some Amazon/Alexa subdomains by creating a malicious link that looks like it came from Amazon and sending it to an unsuspecting user.
Editor’s brief: If you are using Amazon Alexa, Check Point Software has advised that there are vulnerabilities in certain Amazon Alexa subdomains. You may want to check your account. As usual, never click on malicious links sent to you, even if it looks legitimate from a seemingly known contact (as contacts could be hacked). Read more below.
SINGAPORE – Security flaws in certain Amazon/Alexa subdomains were recently discovered by Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a global leader in cyber security solutions. A hacker could have used these flaws to remove or install skills on an Alexa account, access voice history, and steal personal information. A single click on a specially constructed malicious link and some verbal input from the victim were all that was needed to launch the attack. With more than 200 million units sold worldwide, Alexa is a popular choice for home automation because of her ability to play music, provide alarms, and respond to voice commands. Alexa’s functionality can be expanded with the help of “skills,” which are essentially voice-controlled applications. Though convenient, Alexa accounts are a prime target for cybercriminals due to the sensitive information they contain and the devices’ dual role as a controller for home automation.
Check Point researchers showed how a hacker may exploit the flaws they discovered in some Amazon/Alexa subdomains by creating a malicious link that looks like it came from Amazon and sending it to an unsuspecting user. The attacker can do the following if the user follows the link:
- Access a victim’s personal information, such as banking data history, usernames, phone numbers and home address
- Extract a victim’s voice history with their Alexa
- Silently install skills (apps) on a user’s Alexa account
- View the entire skill list of an Alexa user’s account
- Silently remove an installed skill
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point. “We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy. Previously, we conducted research on Tiktok, WhatsApp and Fortnite. Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”
Amazon fixed this issue soon after it was reported.
###
