Investigators at cybersecurity provider Check Point discovered a bug in Amazon’s Alexa virtual assistant that left owner’s personal information vulnerable before it was patched in June.
The investigators detailed the vulnerability in a report released Thursday, saying potential hackers could have hijacked the voice assistant devices using malicious Amazon links.
Once these links were clicked, hackers would be able to install or remove “Skills” – essentially apps – from Alexa devices.
They would also be able to access the voice history of the user with their device, as well as personal information as sensitive as bank details and home addresses.
Check Point presented the bug to Amazon this past June and the company confirmed the security issues later. The online retail giant did not immediately return a request for comment from The Hill.
Experts have long warned about security vulnerabilities present in devices with Internet enabled that are now common in many American homes.
More than 200 million Alexa-enabled devices were sold at the end of 2019, and a vulnerability in those devices could pose serious privacy risks.
“Smart speakers and virtual assistants are so common that it’s easy to see how much personal data they have, and their role in controlling other smart devices in our homes,” said Oded Vanunu, head of product research at Vulnerability at Check Point , in a statement.
“But hackers see them as entry points into people’s lives, giving them the opportunity to gain data, wait for conversations or perform other malicious actions without the owner being aware of them.”
However, Amazon has insisted that the devices are safe.
“The safety of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who are bringing potential issues to us,” an Amazon spokesman said in a statement to The Hill. “We have fixed this issue shortly after it came to our attention, and we continue to strengthen our systems. We are not aware that cases of this vulnerability are being used against our customers or any customer information that is exposed. “
.
