Currently, more than 200 million Alexa-powered devices are being used worldwide. Amazon’s intelligent virtual assistant is holding top positions in most markets.
In the U.S. alone, an eMarketer predictive analysis for 2021 shows that 70% of all smart speaker owners will continue to use Alexa.
Capable of voice interaction, music playblack, and carrying out other simple tasks, Alexa’s skills can now be extended with additional functionality developed by third-party vendors. These skills can be perceived as applications, like weather programs and audio features.
Vulnerabilities in Amazon’s Alexa
Unfortunately, security researchers at Checkpoint recently discovered that specific Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting (XSS). “Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf,” the team said in their report. The newly discovered attacks can also tamper with the skills added to Alexa.
The vulnerabilities could have allowed an attacker to remove or install skills on the targeted Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill, the researchers said.
What would these vulnerabilities enable an attack to do?
-Silently install skills (apps) on a user’s Alexa account
-Get a list of all installed skills on the user’s Alexa account
-Silently remove an installed skill
-Get the victim’s voice history with their Alexa
-Get the victim’s personal information
As seen in a prevalent number of malicious attacks, all that is needed for the exploit to be initiated is just one click on a specially crafted Amazon link. The good news is that the exploits have already been fixed, following Checkpoint’s report in June 2020.
How Secure Is Amazon Echo?
In AUgust 2017, MWR Labs researchers were able to demonstrate proof of concept code against the Amazon Echo device. The team was able to showcase how a potential Amazon Echo malware can be used to spy on users and carry out malicious actions. This was possible due to an insecure hardware implementation enabling access through exposed debug pads. This could then allow the device to be booted from external storage devices.