The flaws could also have helped attackers obtain usernames, phone numbers, voice history, and installed skills, says Check Point Research.
Smart devices and their voice assistants have become a pervasive and popular way for us to find information, control our surroundings, communicate with others, and tap into a host of skills from business to entertainment. But as we share certain personal requests and details with our smart devices, concerns have arisen over the security and privacy of our data.
A report released Thursday by intelligence provider Check Point Research highlights recent security vulnerabilities found in Amazon Alexa, which could have given attackers access to the confidential information of users.
SEE: Amazon Alexa: An insider’s guide (free PDF) (TechRepublic)
In a blog post entitled “Keeping the gate locked on your IoT devices: Vulnerabilities found on Amazon’s Alexa,” Check Point describes how it uncovered a series of vulnerabilities in Amazon’s voice assistant that could have provided an open door to hackers. The operative phrase here is “could have.” Check Point responsibly shared its findings with Amazon in June 2020, prompting the company to patch the vulnerabilities and fix the issue.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” an Amazon spokesperson told TechRepublic. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
However, while the flaws still existed, Check Point said that hackers could have attempted the following malicious acts:
- Silently installed skills and apps on a user’s Alexa account.
- Got a list of all installed skills on the user’s Alexa account.
- Silently removed an installed skill.
- Got the victim’s voice history with Alexa.
- Got the victim’s personal information, including username, home address, and phone number.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Oded Vanunu, Check Point’s head of products vulnerabilities research, said in a press release. “But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations, or conduct other malicious actions without the owner being aware.”
In its research, Check Point discovered that several subdomains for Alexa and Amazon contained multiple security holes. Specifically, these subdomains were vulnerable to Cross Site Scripting (XSS), though which attackers inject malicious client-side code into websites.
Further the subdomains were vulnerable to misconfigurations in Cross-Origin Resource Sharing (CORS), which gives a web application on one domain access to specific resources on another domain. Using an exploit known as Cross-Site Request Forgery (CSRF), attackers could have used XSS to obtain a CSRF token to perform actions on behalf of the victim.
With these vulnerable subdomains, the flow of an attack could have played out as follows:
- The user clicks a malicious link that directs them to track.amazon.com where the attacker has code-injection capability.
- The attacker then sends a request with the user’s cookies to skillsstore.amazon.com/app/secure/your-skills-page and gets a list of all installed skills on the Alexa account and the CSRF token.
- The attacker uses the CSRF token to remove one common skill from the user’s list.
- The attacker installs a skill with the same trigger phrase as the deleted skill.
- Once the user tries to use the trigger phrase, the attacker’s skill runs instead of the expected skill.
By manipulating a user’s skills, an attack could have accessed the person’s voice history with Alexa, meaning both the initial voice commands and Alexa’s responses to them. Amazon doesn’t record bank account credentials, but the victim’s interaction with the bank skill could have been used to obtain the banking data history, according to Check Point. Abusing other types of skills, the attacker could also find usernames, phone numbers, and even home addresses, the report said.
Though Amazon questioned a couple of the specific claims raised in the research, Check Point stands by its findings.
“It was, indeed, possible for a hacker to access an Alexa user’s banking transaction history,” said Check Point’s head of public relations, Ekram Ahmed. “Simply, if a person used Alexa to make purchases or transactions, an attacker would have been able to see those purchases or transactions by making the user click on a crafted link, unless the user has deleted their voice history chat. To substantiate this point, here is Amazon’s own statement on what it records.”
Further, the flaws that Check Point discovered could have allowed an attacker to upload a skill to Alexa, Ahmed asserted. Though such a skill might not necessarily have been “malicious” in nature, the skill could still have proven problematic. For example, an attacker could have uploaded a skill that would start a recording, open a camera, or turn on the microphone.
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” Vanunu said. “Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”
For users of smart devices and voice assistant apps, Ahmed offers the following three security tips:
- Avoid unfamiliar apps. Don’t install unfamiliar apps on your smart speaker.
- Think twice before you share. Be careful what sensitive information you share with your smart speaker (e.g. passwords, bank accounts).
- Read about the app. Note that nowadays anyone can create smart assistant apps, so read about the app before you install it and check what permissions it requires. Just remember that anyone can publish a skill, and that skills have capabilities to perform actions and get information.