Vulnerability found in Amazon’s Alexa
Vulnerability found in Amazon’s Alexa smart assistant could have allowed hackers to exploit a user’s voice history and personal data. Cyber security researchers from Check Point Research have documented an exploit in Amazon’s Alexa that could have led to serious breaches of user data had it not been patched. Used in many of the e-commerce giant’s devices such as the Echo and Echo Dot, Alexa is the smart assistant that users interact with to order goods online, play music or to hear the latest headlines.
Certain Amazon and Alexa sub domains were vulnerable to ‘cross-origin resource sharing’ (CORS) misconfiguration and cross-site scripting. The vulnerability was reported to Amazon in June.
This could have allowed anyone with the right knowledge to secretly install or remove skills (an app or capability) on a user’s Alexa account, listen to their voice history or access personal information. All that would have been required for the exploit to work was for the user to click on a fake Amazon link created by hackers in a phishing attempt.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,”.
“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”
How attackers exploit vulnerability:
In testing, the Check Point team came across a mechanism that would prevent anyone from inspecting user commands or information. However, a common script could have been used to bypass this security measure and view user information in clear text.
The researchers claimed that a misconfigured CORS policy could have allowed attackers with code-injection capabilities on one Amazon sub domain to perform a cross-domain attack on another Amazon sub domain. By launching a cross-site scripting attack, the researchers were able to install or remove Alexa skills and “trigger an attacker skill”.
If the victim should unknowingly trigger this installation, it could be possible for a hacker to download voice history records and personal information. This could have lead to exposure of personal information, such as banking data history and home addresses that were given to the device by the user.“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,”
“Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa sub domains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy.”. “We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
The following is best practices are recommended to prevent the attack:
- Turn off voice input
- Use PIN protection or disable voice purchases
- Turn on your device's sound notification
- Disable your smartphone's address book sharing feature
- Keep your Echo away from windows and doors
- Designate “Alexa-free” rooms