Researchers at security firm Check Point on Thursday reported that they had found a critical flaw in Amazon Alexa that could have exposed the voice history of more than 200 million of its users to hackers.
According to a report by Check Point, they found “certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.”
These vulnerabilities would have allowed an attacker to:
- Silently install skills (apps) on a user’s Alexa account
- Get a list of all installed skills on the user’s Alexa account
- Silently remove an installed skill
- Get the victim’s voice history with their Alexa
- Get the victim’s personal information
In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history, and acquire personal information through skill interaction when the user invokes the installed skill.
Alexa users could have been made easy prey for the vulnerability, as the hack “required just one click on an Amazon link” intentionally crafted and sent by the attacker, the report says.
The hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user. Once the user clicks on the malicious link, the hacker would get the ability to view the entire skill list, install and remove skills on a user’s Alexa account, and gain access to the victim’s voice history.
The researchers noted that hackers could get around the flaw by creating a separate Alexa skill that uses the same “invocation phrase” as a legitimate service – the series of spoken words used to trigger it.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point.
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy. Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega-digital platforms that present the biggest security risk and can hurt us the most. Therefore, their security levels are of crucial importance.”
While Amazon does store any sensitive financial information, personal data like home addresses, usernames, phone numbers, and more are saved in the directory, which could have been accessed by hackers.
After discovering the vulnerability, Check Point notified Amazon in June 2020, which has since rolled out an update to patch it.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” said an Amazon spokesperson in a statement.
“We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
