Your Alexa account may have been hacked with 1 nasty link

Your Alexa account may have been hacked with 1 nasty link

A variety of surprising flaws in Amazon's cloud-based virtual assistant service, Alexa, have been discovered by security researchers. [The flaws allowed cybercriminals to modify Alexa's skills, listen to Alexa's voice recordings, and access users' personal data.

These vulnerabilities, identified by security software firm Check Point, affected specific subdomains used by Amazon and Alexa. The flaws resided on Amazon's servers and not on Amazon Echo devices or other Alexa-enabled devices.

Check Point warned that there were "several different ways" these flaws could be exploited.

One way is to create a malicious page on the Amazon.com or Alexa.com domain and distribute links to that page to victims to click on. The malicious page obtains a specific type of authentication token that allows the attacker access to the victim's Alexa account. [According to Check Point, from there the attacker was able to remove the installed Alexa app and replace it with a malicious app of the same name. This malicious app would run the next time the victim invoked the app using their Alexa device.

"The attack required only one click by the user on a malicious link created and sent by the hacker, and all the victim had to do was interact with it via voice," the security firm warned in a press release.

Alexa is one of the world's most popular AI assistants, boasting tens of millions of users worldwide. People use the service to listen to music, manage their calendars, control smart home products, and for other reasons.

But with so many users and a treasure trove of voice data, Alexa has become "an attractive target for hackers," warns Check Point.

Oded Vanunu, Check Point's head of product vulnerability research, says: "Smart speakers and virtual assistants are so commonplace that it is difficult to know how much personal information they hold and how much information they can hold about other "Smart speakers and virtual assistants are so commonplace that it's easy to overlook how much personal information they hold and the role they play in controlling other smart devices in the home.

Hackers, however, see them as an entry point into people's lives, giving them the opportunity to access data, eavesdrop on conversations, and perform other malicious acts without the owner being aware of it.

By distributing links created by Amazon and appearing to lead to malicious pages on Amazon.com or Alexa.com domains, but created by attackers, users can easily be persuaded to click on them. This allows hackers to carry out a myriad of malicious acts. [Check Point noted that hackers could perform the following actions:

Check Point then reported the vulnerability to Amazon, which has now been fixed. [Check Point said, "We conducted this investigation to underscore how important securing these devices is to maintaining user privacy. Thankfully, Amazon responded quickly to our disclosure and plugged these vulnerabilities in certain Amazon/Alexa subdomains."

Shortly after this article first appeared, Amazon contacted Tom's Guide to confirm that the vulnerabilities had been fixed, issuing the following statement. [An Amazon spokesperson said, "The security of our devices is a top priority and we appreciate independent researchers like Check Point reporting potential issues to us. We fixed this issue shortly after it was brought to our attention and continue to further harden our systems." We are not aware of any cases where this vulnerability has been used against our customers or where customer information has been compromised."

Categories