Copyright
Getty Images
A bug in Amazon’s Alexa smart home devices could allow hackers to access personal information and conversation history, say cybersecurity researchers.
Attackers were able to install or uninstall apps on a device without the owner knowing, Check Point Research reports.
The hack “required only one click on an Amazon link” was deliberately created by the attacker, it says.
The company told Amazon about the bug, which is now fixed.
Amazon said: “The safety of our devices is a top priority, and we appreciate the work of independent researchers such as Check Point who bring potential issues to us.”
It said it did not know of a case where a bad actor had used the vulnerability to target its customers.
In January, Amazon said there were “hundreds of millions” of Alexa devices in the world.
Malicious skill
Check Point said the hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user.
Once they clicked on the link, the attacker could get a list of all installed Alexa “skills” – or apps – and set up a token allowing them to add or remove skills.
One way to use the error would be to remove a skill and then install a malicious one that uses the same “call phrase” – the series of spoken words used to trigger it. This could have been done without the user knowing.
The next time the user tried to activate this skill, it would have run the attacker’s app instead.
- Amazon Echo ‘hacked’ to spy on users
- Amazon accepts supermarkets with free food delivery
The attackers could see Alexa’s voice history – a record of conversations between the user and device.
Check Point said this could create major issues, pointing to banking skills that allow the user to check his account balance.
“This could lead to disclosure of personal information, such as history of bank details,” they claimed – even though it does not store bank login information.
Amazon, however, objected to this suggestion, saying that bank information – such as balances – was returned in the record of Alexa’s responses, so it could not be accessed.
The attack would also give access to personal information in the Amazon profile, such as a home address, Check Point said.
Amazon also said it believed the use of a secret malicious skill was less likely than the Check Point researchers implied.
Media playback is not supported on your device
It said there were systems in place to prevent malicious skills from ever hitting the Alexa Skills Store – and that security reviews were part of its process.
Bad behavior apps were also routinely disabled, it said.
“Their screening process would probably have caught most bad actors – they’re pretty good at it and know their reputation is at stake,” said Cyber Security expert Prof Alan Woodward of the University of Surrey.
“The thing about this hack was that it was due to a vulnerability that is known … so it’s surprising to see it in Amazon’s estate.”
He said access to voice records was a major concern, but was not sure if other hackers could have known about the vulnerabilities in specific subdomains that were used to launch the attack.
“Although if the security researchers found it, I’m sure less scrupulous people could have done the same.”
