After 400 vulnerabilities identified affecting the Qualcomm chipsets featured on milioni on Android smartphones, researchers from Check Point, a company specializing in cybersecurity, have identified some dangerous vulnerabilities present on Alexa, the voice assistant of Amazon. And this is a rather important security bug: if a hacker were to take advantage of it, he could steal a user’s personal data, including credentials for the checking account.
Researchers have identified security vulnerabilities in some sottodomini on Amazon / Alexa that could help a hacker take control of a user’s Alexa account without them noticing. To fall into the hacker trap, it was enough to click on a fake link that seemed to come from Amazon, but was instead corrupt. Once clicked on the link, the user opened the doors to the hacker who could manage the Alexa profile as he saw fit: install or uninstall skills, or steal personal data such as that of the current account. Check Point researchers have immediately notified Amazon who already has fixato vulnerabilities and fixed the problem.
Alexa profile under attack, hackers can take control
Check Point explained quite thoroughly how vulnerabilities discovered work. The problem was with some sottodomini on Amazon / Alexa not carefully protected that allowed a hacker to remotely take control of an Alexa account. To successfully exploit these vulnerabilities, a hacker had to convince a user to click on a link which appeared to be from Amazon, but was actually corrupt.
If the person clicks on the link, the hacker can:
- Access the victim’s personal information, such as banking history, usernames, phone numbers and home address.
- Extract the history of a victim’s voice commands.
- Silently install skills on a user’s Alexa account.
- View the entire skill list of an Alexa user account.
- Silently remove an installed skill.
Check Point researchers point out that the vulnerabilities were very dangerous because Alexa is now widespread in many devices around the world and it may happen that some users fall into the hacker trap.
Fortunately the vulnerabilities have been fixed thanks to the prompt intervention of Amazon technicians, which I doubt after being contacted by Check Point have fixed the problem.
–
