Amazon Alexa Flaw Could Have Exposed Personal Information and Speech Histories
Right then. Another day, another reminder that the always-listening speaker in your kitchen might not be as secure as youd hope.
Security researchers at Check Point have identified a rather nasty exploit in Amazon’s Alexa platform. When exploited, the flaw could have given attackers access to users’ personal information – including Amazon account details and, rather alarmingly, their entire speech histories.
That’s every command you’ve ever given to Alexa. Every timer set. Every awkward question asked at 2am when you thought no one was listening.
Threatpost’s technical breakdown explains the mechanics: researchers found cross-site scripting (XSS) flaws and cross-origin resource sharing (CORS) misconfigurations on Amazon and Alexa subdomains. A bad actor could convince a user to click on a malicious Amazon link – something that looks like a package tracking URL – and gain access to installed skills, personal data, and voice records.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold,” said Oded Vanunu, Check Point’s head of products vulnerabilities research.
TechRadar notes that hackers could also have installed malicious skills or removed legitimate ones – essentially hijacking the device’s functionality without the owner being aware.
The good news, if you can call it that, is that Amazon fixed the vulnerability after Check Point reported it in June. The researchers waited until now to publicly disclose. These kinds of platform vulnerabilities are exactly why debates around Section 230 and tech platform accountability keep heating up.
“The security of our devices is a top priority,” Amazon said in a statement. “We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
Still. More than 200 million Alexa-enabled devices were sold by the end of 2019. That’s 200 million potential targets.
I dont know about you, but I’m giving the smart speaker in my house a very suspicious look right now.
