“Alexa, is a hacker listening to everything I say to you?”
According to a new report, yes, quite possibly.
“Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting,” reads the report. “Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.”
Translation: The flaws allowed malicious actors to install and delete skills — anything from legitimate news apps to malicious skills developed by the hackers to steal your info — on your Alexa account and obtain your personal information through those skills. What kind of personal information? Anything, really.
As Check Point notes, Amazon doesn’t store sensitive financial information such as banking logins, but all of your voice actions are recorded. And, guess what… hackers could’ve also accessed your Alexa voice history through these vulnerabilities, too. By default, the virtual assistant basically records and archives everything you say when an Alexa-enabled device is activated. That means your accessible personal information can extend to anything you told Alexa, or anything you’ve said at all when Alexa was on. Home addresses, usernames, phone numbers, you name it — all accessible.
Earlier this year at CES 2020, Amazon that Alexa powers “hundreds of millions” of devices, including the company’s Echo speakers, Fire tablets, and streaming devices, not to mention third-party products that enable the virtual assistant.
That’s hundreds of millions of potential targets for hackers.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” said Check Point Head of Products Vulnerabilities Research Oded Vanunu in a statement. “But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations, or conduct other malicious actions without the owner being aware.”
According to Check Point, Amazon rolled out a fix to this vulnerability after the firm reported the issue to the e-commerce giant.
Security researchers have long warned tech companies and consumers about the concerning virtual assistants like Alexa. In October of last year, white hat hackers in Germany that Google and Amazon had both approved apps for Alexa and Google Home that would eavesdrop on its users. Amazon has also faced for previously providing access to those Alexa recordings to some of its employees.
“Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices,” said Vanunu, referring to “Internet of Things” devices that use the virtual assistant to control everyday household items and appliances like thermostats and lights. “It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”