Researchers discover a new vulnerability in Alexa voice assistant that can allow attackers to expose your voice history
Amazon Alexa, also known simply as Alexa, is a virtual assistant AI technology developed by Amazon. First used in the Amazon Echo smart speakers developed by Amazon Lab126. It is capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, and providing weather, traffic, sports, and other real-time information, such as news. Alexa can also control several smart devices using itself as a home automation system. Users are able to extend the Alexa capabilities by installing “skills”.
A new report from Check Point Research discloses flaws in the popular Amazon Alexa that if hackers exploited could gain access to a user’s voice history and personal information. That means if you have been the target of this hack all your recordings and entire voice history can be exposed. It was also known that the flaws found in Alexa could have also exposed information such as your home address and banking details.
“Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.” Check Point researcher
The research further claimed that the flaws also allowed hackers to change the legacy skill script with the infected script that can be used to collect all the data and control the devices connected to Alexa remotely.
“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” Check Point researchers.
However, the researchers submitted the bug and Amazon has fixed the flaw but it was unclear how many devices were affected by the flaw. “We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed,” an Amazon spokesperson told Wired.
If you feel like you have been the victim of the hack then you can clear all the history and change all the passwords and apply two-step verification if applicable. For more news on tech and cybersecurity stay tuned on Android rookies by subscribing to our newsletter from here.