Home > Cyber News > Amazon’s Alexa Hacked, Contains Threatening Vulnerabilities
CYBER NEWS

Amazon’s Alexa Hacked, Contains Threatening Vulnerabilities

Currently, more than 200 million Alexa-powered devices are being used worldwide. Amazon’s intelligent virtual assistant is holding top positions in most markets.

In the U.S. alone, an eMarketer predictive analysis for 2021 shows that 70% of all smart speaker owners will continue to use Alexa.

Capable of voice interaction, music playblack, and carrying out other simple tasks, Alexa’s skills can now be extended with additional functionality developed by third-party vendors. These skills can be perceived as applications, like weather programs and audio features.




Vulnerabilities in Amazon’s Alexa

Unfortunately, security researchers at Checkpoint recently discovered that specific Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting (XSS). “Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf,” the team said in their report. The newly discovered attacks can also tamper with the skills added to Alexa.

The vulnerabilities could have allowed an attacker to remove or install skills on the targeted Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill, the researchers said.

What would these vulnerabilities enable an attack to do?

-Silently install skills (apps) on a user’s Alexa account
-Get a list of all installed skills on the user’s Alexa account
-Silently remove an installed skill
-Get the victim’s voice history with their Alexa
-Get the victim’s personal information

As seen in a prevalent number of malicious attacks, all that is needed for the exploit to be initiated is just one click on a specially crafted Amazon link. The good news is that the exploits have already been fixed, following Checkpoint’s report in June 2020.


How Secure Is Amazon Echo?

In AUgust 2017, MWR Labs researchers were able to demonstrate proof of concept code against the Amazon Echo device. The team was able to showcase how a potential Amazon Echo malware can be used to spy on users and carry out malicious actions. This was possible due to an insecure hardware implementation enabling access through exposed debug pads. This could then allow the device to be booted from external storage devices.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree