Amazon’s Alexa smart speakers are popular because they obey every word and are seen by many as useful and entertaining. Alexa could also be a gateway for attackers. Experts found weaknesses that have now been closed.
Security researchers from California have discovered several serious security gaps in the Alexa voice assistance system from Amazon and the associated networked loudspeakers that would have made hacker attacks possible. “With just one wrong click, users threatened to lose a great deal of personal data or even the history of all voice recordings, i.e. their personal voice profile,” said the Israeli security company Check Point, which discovered the weak points in its laboratory in San Carlos, on Thursday . In addition, the users could have been spied on via Alexa.
An Amazon spokesman confirmed the information from Check Point and emphasized that the errors have now been fixed. “We value the work of independent researchers like Check Point to alert us to potential problems. We fixed the vulnerability immediately after we heard about it – and will continue to strengthen our systems. ”Amazon is not aware of any cases“ in which this vulnerability was exploited to the detriment of our customers or customer information was disclosed ”.
According to Check Point, the weak points were not on the speakers themselves, but in Amazon’s online infrastructure. Certain Internet domains from Amazon and Alexa could be attacked with so-called cross-site scripting. The researchers were also able to intercept the authorization key (“CSRF token”) and use it to perform actions on behalf of the victim.
With these methods, an attacker could have removed or reinstalled programs (“skills”) on a victim’s Alexa account, among other things. It was also possible to access the Amazon customer’s voice history and steal personal information about the user’s interactions with individual programs. “An attack would have only required a single click on a supposed Amazon link created by the attacker in order to be successful.”
Amazon responded quickly to the disclosure to address these vulnerabilities on certain Amazon and Alexa subdomains, Check Point said. “We hope that manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could endanger the privacy of users.” Check Point has already carried out similar security research on Tiktok, WhatsApp and Fortnite and received “alarming results” . However, the company did not want to say which weak points these were exactly.