Amazon Alexa security bug allowed access to voice history
According to cybersecurity researchers, a flaw in Amazon’s Alexa smart home devices could have allowed hackers to access personal information and conversation history.
Attackers could install or remove apps on a device without the owner knowing, Check Point Research reports.
The hack “only required one click on an Amazon link” specially crafted by the attacker, he says.
The company told Amazon about the flaw, which has now been fixed.
Amazon said, “The security of our devices is a top priority and we appreciate the work of independent researchers such as Check Point who report potential problems to us.”
He said he was unaware of any cases where a bad actor used the vulnerability to target their customers.
In January, Amazon said there were “hundreds of millions” of Alexa devices in the world.
Check Point claimed that the hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user.
After clicking the link, the attacker could get a list of all installed Alexa “skills” – or apps – and steal a token that allows them to add or remove skills.
One way to use the flaw would be to remove a skill and then install a malicious one that uses the same “invocation phrase,” the set of spoken words used to activate it. This could have been done without the user knowing.
The next time the user tried to activate that ability, they would run the attacker’s app instead.
- Amazon Echo “hacked” to spy on users
- Amazon tackles supermarkets with free food delivery
The attackers would have been able to see Alexa’s voice history, a recording of the conversations between the user and the device.
Check Point said this could create major problems, indicating banking capabilities that allow the user to check their account balance.
“This could lead to exposure of personal information, such as banking history,” they said, although it does not save bank login details.
Amazon objected to this suggestion, however, stating that banking information, such as balances, was cleared in Alexa’s response log, so it wouldn’t be possible to access it.
The attack would also allow access to personal information in the Amazon profile, such as a home address, Check Point said.
Amazon also said it believed the use of a malicious secret ability was less likely than the Check Point researchers implied.
It said there were systems in place to prevent harmful skills from getting to the Alexa Skills Store and that security reviews were part of their process.
Even misbehaving apps were routinely disabled, he said.
“Their screening process would probably have caught most of the bad actors – they’re pretty good at it and they know their reputation is at stake,” said Alan Woodward, a cyber security expert at the University of Surrey.
“The problem with this hack was that it was due to a well-known vulnerability … so it’s surprising to see it on the Amazon estate.”
He said access to voice records was a big concern, but he wasn’t sure if other hackers would be aware of the vulnerabilities in specific subdomains used to launch the attack.
“Even if the security researchers had found it, I’m sure less scrupulous people could have done the same.”