Yes, another Alexa hack. While this attack vector is now closed the fundamental problem remains. Alexa is very hackable.
Check Point research revealed the Alexa hack after responsibly reporting it to Amazon that fixed the issue. But as we have said on numerous occasions, programmers write quick code, reuse massive API libraries and get it out there.
Security is never the prime consideration unless you are a security company like Check Point.
Who knows how long poor coding and security made it simple for hackers to take over an Alexa device and control connected IoT products, eavesdrop on conversations and steal personal data. The Alexa Hack only requires a single click on a malicious link.
These Alexa Hack vulnerabilities allowed an attacker to:
- Silently install skills (apps) on a user’s Alexa account
- Get a list of all installed skills on the user’s Alexa account
- Silently remove an installed skill
- Get the victim’s voice history with their Alexa
- Get the victim’s personal information
These exploits combined allowed an attacker to remove/install skills on the victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.
Successful exploitation required just one click on an Amazon link that has been specially crafted by the attacker. At this time, only Amazon could determine the extent of this exploitation, and it is not talking.
Alexa Hack target?
It is not just Alexa although Amazon’s success with securing its other products like Ring (here and here) has been abysmal. Its that there are 200+ million Alexa devices in the wild and potentially billions of connected IoT devices. The problem stems from the fact that anyone can write an Alexa skill and distribute it via the Amazon Skill Store. This has far lower site security that Google Play or Apple Store.
There are over 100,000 Alexa skills are covering 9500 brands and IoT devices. But the reality is that many are useless or poorly written. Counterpoint has shown that the Alexa skills are yet another attack vector that can’t be countered by Anti-Virus or Malware software.
Check Point says that users must limit the number of skills they install in Alexa to well-known ones from major brands. That next cute cat purring skill could empty your bank account.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point
“Smart speakers and virtual assistants are so commonplace. It is easy to overlook just how much personal data they hold and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives. It allows them to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.
Check Point conducted this research to highlight how securing these devices is critical to maintaining users’ privacy.
Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.