If you’re the type of person who turns off Siri and refuses to keep a smart-assistant device in your home for fear of spying, you’re about to be real smug. Independent researchers Check Point Research found a bug in Amazon’s Alexa which could have allowed hackers to access personal information and conversation history.
The bug had the potential to be exploited by hackers and would grant them access to a user’s entire voice history, meaning it could gain access to their entire conversation history with Alexa, the report found.
Check Point’s head of product vulnerability research, Oded Vanunu, told Wired, “We found a chain of vulnerabilities in Alexa’s infrastructure configuration that eventually allows a malicious attacker to gather information about users and even install new skills”.
In order to do so, a hacker would have to create a malicious Amazon link for a victim to click on, and underlying flaws in Amazon and Alexa subdomains meant it would be easy for an attacker to make a genuine-looking link.
According to the BBC, once the link had been clicked, “it would be easy to get a list of all installed Alexa “skills” – or apps – and steal a token allowing them to add or remove skills”.
From there, an attacker might remove a skill and replace it with a malicious one with the same invocation phrase – or trigger phrase – so that the next time a user-activated that app, they would unsuspectingly activate the attacker’s app.
Check Point warned that hackers could gain access to a user’s personal information through their Amazon account, including their home address and – potentially – their bank details. However, Amazon said that this was unlikely because Alexa is not stored on Alexa’s recorded responses. They also claimed that the likelihood of this bug being exploited maliciously was small, because there are systems in place to prevent malicious skills from entering the Alexa Skill Store in the first place, which are routinely reviewed, and any malicious skills found are consistently deactivated.
A spokesperson for Amazon told Wired: “The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us.
“We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems.
We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
The bug has thankfully been fixed, so you can use your robot assistants in peace (for now).
