Amazon Echo owners have been warned that voice assistant Alexa could allow hackers to access their personal information, install or remove Alexa Skills (what Amazon calls apps for its smart speaker), or listen to recordings of voice commands. Researchers found a vulnerability within the talkative assistant that can be exploited using a malicious link crafted by a cyber crook.
With more than 200 million Amazon Echo units sold globally, Alexa could become a popular target for cyber criminals.
Security researchers from Check Point discovered the flaw within Alexa. The attack cannot be initiated with the voice activated speaker itself, but instead requires cyber crooks to handcraft a malicious link – that looks as if it has been sent by Amazon. If the hackers can convince the target to click on the link, they will be able to:
- Access the target’s personal information, like banking data history, usernames for online accounts, phone numbers, and home address
- Extract and listen to voice recordings from previous requests to Alexa
- Silently install skills onto the target’s Alexa account to enable new features
- View the complete list of Alexa skills already associated with the target’s account
- Silently remove an installed skill to stop it working
Amazon Echo owners need to be careful when clicking on any links. After all, Echo owners can save a lot of information with their account details, including their home Wi-Fi name and password, home address, and more. Cyber criminals often use malicious links to exploit vulnerabilities in devices and accounts, so you should never enter your personal information into untrusted online forms.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, said: “Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy. Previously, we conducted research on TikTok, WhatsApp and Fortnite.