An Alexa Bug Could Have Exposed Your Voice History to Hackers

Smart-assistant devices have had their share of privacy missteps, but they’re generally considered safe enough for most people. New research into vulnerabilities in Amazon’s Alexa platform, though, highlights the importance of thinking about the personal data your smart assistant stores about you—and minimizing it as much as you can.

Findings published on Thursday by the security firm Check Point reveal that Alexa’s web services had bugs that a hacker could have exploited to grab a target’s entire voice history, meaning their recorded audio interactions with Alexa. Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the “skills,” or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack.

“Virtual assistants are something that you just talk to and answer, and usually you don’t have in your mind some kind of malicious scenarios or concerns,” says Oded Vanunu, Check Point’s head of product vulnerability research. “But we found a chain of vulnerabilities in Alexa’s infrastructure configuration that eventually allows a malicious attacker to gather information about users and even install new skills.”

click to read
clicking here
company website
consultant
content
continue
continue reading
continue reading this
continue reading this..
continued
conversational tone
cool training
Get the facts
Related Site
Recommended Reading
Recommended Site
describes it
description
dig this
directory
discover here
discover more
discover more here
discover this
discover this info here
do you agree
enquiry
experienced
explanation
extra resources
find
find more
find more info
find more information
find out here
find out here now
find out more
find out this here
for beginners
from this source
full article
full report
funny postget more
get more info
get more information
get redirected here
get the facts
go
go here
go now
go right here
go to the website
go to these guys
go to this site
go to this web-site
go to this website
go to website
go!!
going here
good
great post to read
great site
had me going
have a peek at these guys
have a peek at this site
have a peek at this web-site
have a peek at this website
have a peek here
he has a good point
he said
helpful hints
helpful resources
helpful site
her comment is here
her explanation
her latest blog
her response
here
here are the findings
here.

For an attacker to exploit the vulnerabilities, she would need first to trick targets into clicking a malicious link, a common attack scenario. Underlying flaws in certain Amazon and Alexa subdomains, though, meant that an attacker could have crafted a genuine and normal-looking Amazon link to lure victims into exposed parts of Amazon’s infrastructure. By strategically directing users to track.amazon.com—a vulnerable page not related to Alexa, but used for tracking Amazon packages—the attacker could have injected code that allowed them to pivot to Alexa infrastructure, sending a special request along with the target’s cookies from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page.

At this point, the platform would mistake the attacker for the legitimate user, and the hacker could then access the victim’s full audio history, list of installed skills, and other account details. The attacker could also uninstall a skill the user had set up and, if the hacker had planted a malicious skill in the Alexa Skills Store, could even install that interloping application on the victim’s Alexa account.

Both Check Point and Amazon note that all skills in Amazon’s store are screened and monitored for potentially harmful behavior, so it’s not a foregone conclusion that an attacker could have planted a malicious skill there in the first place. Check Point also suggests that a hacker might be able to access banking data history through the attack, but Amazon disputes this, saying that information is redacted in Alexa’s responses.

“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” an Amazon spokesperson told WIRED in a statement. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”

Check Point’s Vanunu says that the attack he and his colleagues discovered was nuanced, and that it’s not surprising Amazon didn’t catch it on its own given the scale of the company’s platforms. But the findings offer a valuable reminder for users to think about the data they store in their various web accounts and to minimize it as much as possible.

“This definitely wasn’t a case of an open door and OK, come on in!” Vanunu says. “This was a tricky attack, but we’re glad Amazon took it seriously, because the implications could have been bad with 200 million Alexa devices out there.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous post Parenting in the Age of the Pandemic Pod
Next post Do You Really Need to Spend More Than $400 on a Phone?