Voting data from Amazon Alexa bug exposed

“Alexa, who’s hacking into my system?”

More than 200 million Amazon Echo, Dot and Show owners are unlikely to get an answer from the popular personal assistants, but it is a question they can ask themselves.

Investigators from security company Check Point reported Thursday that they found a bug that could allow hackers to obtain tribe history data and install Alexa skills as Google actions without the user’s knowledge. This means that conversations users have with Alexa regarding personal data can be obtained and used to infiltrate their Amazon devices.

Check Point stated that once personal data was obtained, a hacker could pose as a legitimate user, delete an installed skill and replace it with a doctored version with malicious code. In turn, once the infected program is activated, a hacker could obtain sensitive user data by chatting off conversations. Such information may include financial transactions, health details or personal exchanges that a user may participate through Amazon inquiries.

One approach that a hacker could use is to create a legitimate link to a site that is used to track Amazon packages. An unsuspecting user who clicks on the link will provide a gateway for the hacker to exchange installed skills with malicious.

“Smart speakers and virtual assistants are so simple that it’s easy to see how much personal data they have, and their role in controlling other smart devices in our homes,” said Oded Vanunu, Check Point’s product research chief. “But hackers see them as entry points into people’s lives, giving them the opportunity to gain data, wait for conversations or perform other malicious actions without the owner being aware of them. We conducted this research to highlighting how secure these devices are for maintaining users’ privacy. “

Amazon said it has patched the vulnerability and doubted that any actual breaches had occurred. Bank details, such as balances, are edited from Alexa’s logs, Amazon added.

Check Point acknowledged that Amazon does not include bank sign-in references, and claims that all apps, as well as skills, in the Amazon store are checked for potentially malicious behavior. But Check Point notes that interactions are recorded, including banking tasks, so some data is potentially compromised. Referring to his research results, Check Point said, “We can also get usernames and phone numbers, depending on the skill installed on the user’s Alexa account.”

Meanwhile, a Amazon spokesman said, “We are not aware that cases of this vulnerability are being used against our customers or of any customer information that is exposed.”

Amazon maintains standard records of voice transactions with Echo devices as part of its artificial intelligence efforts. Amazon workers can also listen to those exchanges. Users can choose to deny access to those conversations through the Alexa app. In addition, users can set Echo to automatically clear voice history every three to 18 months. Those who want to delete more often can do this manually, every day or week.

It should be noted that Amazon has reported that it precedes transcripts of some conversations after audio has been deleted.

© 2020 Science X Network