A flaw in Amazon’s Alexa smart home devices might have enabled hackers to share private information and data of discussion, cyber-security experts claim. Intruders might install or remove apps on a device without any of the owner knowing, reports security checkpoint investigation.
The hack, it says, “required one more click on an Amazon link” deliberately designed by the intruder. The company told Amazon about the defect, now fixed.
Amazon told reporters: “The safety of our devices is a prime concern and we admire the efforts of independent researchers such as Check Point, who are bringing us potential problems.”
It said that it did not even know of any case where the vulnerability had been used by a bad actor to target its clients. In January, Amazon told reporters Alexa’s devices had “hundreds of millions” in the world.
HOW THE HACK CAN HAPPEN:
Check Point said that the hack needed a malicious Amazon link to be created which would have been sent to an unsuspecting user.
When the link has been clicked, the intruder could receive a list of all Alexa “skills”-or apps-installed and steal a token that would allow them to add or remove skills.
Yet another way of using the flaw is to remove a skill and then install a malicious one using the same “invocation phrase”-the series of spoken words used to trigger that. This could have happened without the user being aware of it.
The next time a user attempted to activate that skill, the attacker’s app would have been running instead.
The attackers would be able to see the voice history of Alexa-a record of user-device interactions. Check Point said this could create significant issues, pointing to banking skills that allow the user to check the balance of their account.
“This could lead to exposure of private details, such as the history of credit card data,” they asserted-although it does not save details of the banking login.
However, Amazon objected to this recommendation by saying that credit card information was edited in the record of Alexa ‘s responses, such as balances so that this could not have been accessed.
The attack also would allow access to personal data, such as a current address, in the Amazon profile, Check Point said. Amazon said it also believed that the use of a secret malicious ability is much less likely than the researchers at Check Point implied.
It said systems were in place to avoid malicious skills, anyone, from hitting the Alexa Skills shop-and that security evaluations were part of their procedure.
Apps that behaved badly were also frequently removed, it said.
“Probably most malicious people might have caught their vetting process-they are pretty good at that and know their reputation is on the line,” said cyber-security expert Prof. Alan Woodward at the University of Surrey.
“The thing about with this hack was that this was because of the well-known vulnerability, thus it is surprising to see that in the estate of Amazon.”
He said access to voice records was a big concern and was unsure if other hackers might have known about security flaws used to attackers in specific subdomains.
“Even if it was found by the cybersecurity experts, I am sure less diligent people could have done the exact same thing.”