Flaws in Amazon’s Alexa were serious enough that a user “in just one-click” could have handed over their voice history, home address and control of their Amazon account, cybersecurity firm Check Point said in a recent report.
An attacker could have also silently installed, viewed and removed Alexa skills, Check Point said, referring to voice-driven Alexa apps. A hacker could have also accessed a victim’s personal information, such as banking data history and usernames.
“Given Alexa’s popularity and ubiquity, Check Point researchers began to speculate that the AI assistant device is an ‘entry point’ for hackers into a person’s household,” the cybersecurity company said in the report.
File photo: The updated Amazon Alexa Plus,is on display in Amazon’s Day 1 building in Seattle on September 20, 2018. (Credit: GRANT HINDSLEY/AFP/Getty Images) (Getty Images)
More than 200 million devices worldwide have shipped with Alexa, according to CNet.
In one scenario described by Check Point, an Alexa user clicks on a malicious link, then the attacker gets a list of all installed apps on the Alexa account. The attacker then deletes one or more of the apps and subsequently installs an app with the same “invocation phrase,” such as “get” or “search,” as the deleted app. Then, when the user tries to use the phrase again, they will trigger the app, which gives the hacker the ability to perform actions on Alexa.
Check Point said it reported the vulnerabilities to Amazon in June 2020 and the tech giant has subsequently fixed the issue.
“What we do know is that Alexa had a significant period of time where it was vulnerable to hackers,” Check Point spokesperson Ekram Ahmed told Fox News. “Up until Amazon patched, it’s possible that personal and sensitive information was extracted by hackers via Alexa. Check Point does not know the answer to whether that occurred yet or not, or to the degree to which that happened.”
Fox News has contacted Amazon for comment.
Check Point said it conducted the research to underscore how securing Alexa devices is critical to maintaining users’ privacy.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, told Fox News in a statement.
“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” Vanunu added.
Some precautionary measures users can take include not installing unfamiliar apps on your smart speaker and being careful what sensitive information you share with your smart speakers such as passwords and bank account information, Check Point said.