New research into the vulnerabilities of Amazon’s voice assistant Alexa platform showed the importance of considering about sharing personal data to smart assistant stores that the sharing should be minimized!
The findings that were published recently showed that Alexa’s web services had bugs that a hacker can quickly exploit to grab a target’s entire voice history and personal data. The voice history includes the recorded audio interactions with assistant Alexa. Though Amazon patched the flaws, the vulnerability remains and clearly shows the misgivings that sharing personal data can bring. Through this bug, a hacker can also delete any existing skill or install a malicious skill to acquire more data.
“Virtual assistants are devices that people just talk to and answer, and usually the communicating people don’t have in their minds about any malicious scenarios or concerns,” says Oded Vanunu, Check Point’s head of product vulnerability research. “But we came across a chain of vulnerabilities in the infrastructure configuration of Alexa that allows any malicious hacker to acquire information about users and even install new skills into the devices.”
The flaws in Amazon and Alexa subdomains mean that an attacker will have to craft a genuine and normal-looking Amazon link to get victims into the exposed regions of Amazon’s infrastructure.
By strategically directing the victims to track.amazon.com, which is a vulnerable page not related to Alexa, the attacker will have to inject a code that gave them access to pivot Alexa infrastructure, sending them a special request from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page.
Once at this point, the platform would mistake the attacker to be a legitimate user. Then the hacker would get unlimited access to the victim’s entire audio history, installed skills, along with other account details. The attacker can also uninstall a skill and, if the hacker had included a malicious skill in the Alexa Skills Store, they could also install that interloping application on the Alexa account of the victim.
Check Point, as well as Amazon, stated that all skills mentioned in Amazon’s store are screened and monitored thoroughly for any potential harmful behavior, which means it is not confirmed that an attacker could have planted any malicious skill. It is also found that a hacker may also access the banking data history of a victim through the attack, though Amazon says that information is censored in Alexa’s responses.
“The security of our every device is our top priority, and we appreciate the work of our leading independent researchers like Check Point who bring to our note potential issues to us,” an Amazon spokesperson stated. “We fixed this issue soon once it was reported, and we would continue to strengthen the systems and applications further. We, however, are not aware of any cases of this vulnerability that may be used against our customers.”
Check Point’s head stated that the attack that his team discovered was nuanced and that it’s not at all surprising that Amazon didn’t notice it on its own given the magnum scale of the company’s platforms.
Though a user cannot control whether Amazon has a bug or not and how to control it, the user can control and minimize the data on their Alexa account. After this attack, The leading tech company, Amazon made it simpler or users to delete their audio history. Users should do it frequently and prevent Amazon from storing the recordings indefinitely.
Apple iPhone 12 procured a new update which fixes a lot of previously noticed bugs…
iPhone 12 mini or Google Pixel 4a 5G, both of these smartphones will put you…