According to the researchers, the vulnerabilities may have allowed attackers to silently set up or delete Alexa ‘skills’ on an person’s Alexa account with out consent. Hackers may have additionally accessed a listing of all put in abilities on any compromised Alexa account, they stated. What’s much more worrying is that the failings allowed attackers to achieve entry to an person’s voice historical past and private info.
“In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill”, stated the researchers. To efficiently break into different individuals’s Alexa accounts, hackers simply wanted to get unsuspecting customers to click on on a specially-crafted Amazon hyperlink. The researchers additionally stated that they may entry the cellphone numbers, dwelling addresses, usernames and banking information of many customers by deploying their proof-of-concept code.
Check Point disclosed the findings to Amazon in June, and fortunately, the e-commerce big has since patched the vulnerabilities. “We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy”, stated Oded Vanunu, Check Point’s Head of Products Vulnerabilities Research. “Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains”, he stated.
Featured Image Courtesy: Check Point