Owners of Amazon Echo devices have been warned that their systems may have been compromised due to a security flaw in the Alexa voice recognition service.
Researchers from security firm Check Point found vulnerabilities in certain Amazon and Alexa subdomains that could have allowed outsider access to a user’s voice history.
This includes all voice searches and conversation history made by a user, and could mean that personal data would be accessed and potentially stolen.
Alexa security flaw
Alexa users could have been easily tricked into falling for the vulnerability, which reportedly only needed a single click on a malicious link crafted and sent by the hacker.
Check Point says the attack could also have allowed hackers to remove or install apps (known as skills) on the victim’s Alexa account, meaning malicious programs could have been inserted to steal more personal information.
As well as clicking on the malicious link, some form of voice interaction would also have been needed. The researchers noted that hackers could get around this by creating a separate Alexa skill that required the same activation phrase as a legitimate service, so that when the user uttered the “invocation phrase” needed, it unwittingly activated the malicious skill.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point.
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy. Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega-digital platforms that present the biggest security risk and can hurt us the most. Therefore, their security levels are of crucial importance.”
Check Point says it reported the issue to Amazon in June 2020, with the company fixing the flaw soon after.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” Amazon said in a statement to the BBC.