• December 8, 2021

An Alexa Bug Could Have Exposed Your Voice History to Hackers

Smart-assistant devices have had their share of privacy missteps, but they’re generally considered safe enough for most people. New research into vulnerabilities in Amazon’s Alexa platform, though, highlights the importance of thinking about the personal data your smart assistant stores about you—and minimizing it as much as you can.

Findings published on Thursday by the security firm Check Point reveal that Alexa’s web services had bugs that a hacker could have exploited to grab a target’s entire voice history, meaning their recorded audio interactions with Alexa. Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the “skills,” or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack.

“Virtual assistants are something that you just talk to and answer, and usually you don’t have in your mind some kind of malicious scenarios or concerns,” says Oded Vanunu, Check Point’s head of product vulnerability research. “But we found a chain of vulnerabilities in Alexa’s infrastructure configuration that eventually allows a malicious attacker to gather information about users and even install new skills.”

i was reading this
click here to read
read here
i loved this
my blog
click now
you can try these out
informative post
top article
useful site
click this over here now
moved here
resource
about his
navigate to this site
click this
click here for more info
investigate this site
more helpful hints
read
over at this website
find
go to the website
try this site
look at more info
look what i found
Full Report
websites
Extra resources
get more
like it
click here for more
find out here now
this hyperlink
home
site here
discover here
click here for info
try this website
go
look at here
Visit Your URL
see this website
visit this page
Click Here
check this
browse around these guys
redirected here
visit this site right here
review
have a peek at this website
right here
why not try this out
article source
visite site
web link
you could try this out
description
my latest blog post
find out this here
wikipedia reference
find more information
continue reading this
this post
index
official website
go to these guys
learn the facts here now
Related Site
Click This Link
Visit This Link
you can try here
linked here
visit homepage
web
YOURURL.com
you can find out more
see this site
additional resources
Website

For an attacker to exploit the vulnerabilities, she would need first to trick targets into clicking a malicious link, a common attack scenario. Underlying flaws in certain Amazon and Alexa subdomains, though, meant that an attacker could have crafted a genuine and normal-looking Amazon link to lure victims into exposed parts of Amazon’s infrastructure. By strategically directing users to track.amazon.com—a vulnerable page not related to Alexa, but used for tracking Amazon packages—the attacker could have injected code that allowed them to pivot to Alexa infrastructure, sending a special request along with the target’s cookies from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page.

At this point, the platform would mistake the attacker for the legitimate user, and the hacker could then access the victim’s full audio history, list of installed skills, and other account details. The attacker could also uninstall a skill the user had set up and, if the hacker had planted a malicious skill in the Alexa Skills Store, could even install that interloping application on the victim’s Alexa account.

Both Check Point and Amazon note that all skills in Amazon’s store are screened and monitored for potentially harmful behavior, so it’s not a foregone conclusion that an attacker could have planted a malicious skill there in the first place. Check Point also suggests that a hacker might be able to access banking data history through the attack, but Amazon disputes this, saying that information is redacted in Alexa’s responses.

“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” an Amazon spokesperson told WIRED in a statement. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”

Leave a Reply

Your email address will not be published. Required fields are marked *