Posted on August 22, 2020 at 2:31 PM
Amazon’s Alexa is an incredibly helpful product, and, for a lot of people, and irreplaceable digital assistant. However, it had its fair share of bugs and problems over the years, and judging by the recent report published by Check Point security researchers, the issues are still far from resolved.
Alexa bug endangers users’ sensitive information
According to a recent report by Check Point, Amazon’s Alexa seems to have a bug that could allow hackers unrestricted access to the entire voice history of the product.
Not only that, but they could also get their hands on the users’ personal data, bank account information, and even use it to click on malicious Amazon links.
That way, the attacker would be impersonating the user, and gain access to the user’s list of Alexa Skills. From that point on, Alexa would be an open book for the attacker, while the user’s sensitive information could be irreversibly compromised.
How does it work?
The report revealed that the bug came from a CORS (Cross-Origin Resource Sharing) misconfiguration. As a result, Cross-Site Scripting attacks on Alexa’s domains became possible. What this means is that hackers might use vulnerable Amazon domains to send Ajax requests to Alexa, and receive CSRF tokens, that would let them impersonate users and exploit the system.
In addition, researchers also discovered a way to prevent traffic inspections through an SSL feature.
In essence, all that attackers need to do is create a malicious Amazon link to which they would redirect users, and their access to Alexa’s voice history will be ensured.
From there on, they could access the victim’s username, home address, phone number, and even banking data, as mentioned.
Also, with access to Alexa Skills, hackers could even add a malicious skill, or remove some skills that the user has installed. As soon as the user activates the malicious skill, hackers would receive full access to their accounts.
The situation is even worse due to the fact that a lot of people tend to use Alexa for a variety of everyday tasks, without really having a proper understanding of security. That way, they can put the security of their entire smart home in Alexa’s hands, which would effectively make the hacker in charge of all other smart devices around the household.
Amazon claims that the bug was not used
After discovering the bug, Check Point contacted Amazon and notified the company of the issue. The firm thanked researchers for their efforts, but it denied that hackers could access banking data history. It noted that such data was always redacted in Alexa’s responses.
Meanwhile, Amazon also patched the bug, claiming that it was never used in the wild. In other words, hackers did not discover it before Check Point, which gave the firm enough time to handle the issue and prevent it from ever happening.
Check Point’s head of Products vulnerability research, Oded Vanunu, explained that Amazon did not detect the flaw on its own due to the bug’s multilayered nature. He also praised the firm for the quick response and a patch that fixed the bug in over 200 million Alexa devices.
Lastly, Vanunu noted that Alexa never deletes the users’ voice history. This is something that puts the user in danger, and Check Point believes that users should perform this task manually on regular basis. The process is rather simple, and all that users need to do is open the Alexa app and go to Settings, and then to History. From there, they can individual voice entries, select and delete multiple entries at once, or delete voice history completely.