Amazon Alexa devices were discovered to be vulnerable to an attack by hackers that would have given them access to your voice history, personal data and Alexa account. The vulnerability was demonstrated by Check Point Research in a report where it can be seen that a bad actor can use this flaw to access the victim’s personal information, voice history with Alexa and other private details.
Amazon’s Alexa devices include smart speakers, smart displays and other home automation products. Alexa skills are installed to extend the voice assistant’s capability to control more devices by voice commands. Amazon sold over 200 million Alexa-powered devices last year which makes it one of the more common IoT products that people buy.
The researchers at Check Point Software Technologies found that some Amazon subdomains could have been exploited by hackers to send a malicious link to users. These links seem to be genuine and users could mistake it for an official Amazon tracking link but it redirects to a malicious page which raises a request to get into your Alexa account and access your private information.
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point.
Amazon did take stock of the situation almost immediately and has seemingly fixed the vulnerability. While the researchers have suggested that hackers could have easily gained access into user’s private information, collecting bank account details but Amazon refutes this claim stating that all bank details are redacted from Alexa’s responses.
In a statement to Wired, Amazon said that “The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us. We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."
This isn’t the first time a flaw has been discovered in smart devices as both Amazon and Google have often been demonstrated to be vulnerable to hackers. Having said that, we recommended our readers to be vigilant of smart devices and use the physical microphone disable button occasionally.