Check Point researchers have discovered vulnerabilities in certain Amazon / Alexa subdomains that could be exploited by hackers. Vulnerabilities that can potentially affect 200 million users around the world. There is nothing to say that they have not already been used by infiltrated and stealth hackers in order to gather as much information as possible. It should be noted from the outset that Amazon, warned of the vulnerability, promptly corrected it.
This incident highlights a fact that users tend to overlook: the phenomenal amount of personal data stored by virtual assistants makes them prime targets for hackers. Attacks on virtual assistants are the natural complement of phishing to gather information, in order to prepare attacks on individuals or companies.
“Hackers see them as entry points into people’s lives, to access data, listen to conversations or perform other malicious actions without the knowledge of their owner,” says OdedVanunu, head of research on product vulnerabilities at Check Point.
Open access to user data
By creating and sending a malicious link, which appears to be from Amazon, a cybercriminal can, using this vulnerability, remove / install skills on the targeted victim’s Alexa account, access their voice chat history and to his personal data. The attack would only require a single user click on this malicious link followed by voice interaction.
When the user clicks on the link, the hacker can then access the personal information of the victim, such as bank details history, usernames, phone numbers and home address; extract the history of the victim’s voice exchanges with their Alexa device; silently install skills (applications) on the victim’s Alexa account; view the complete list of skills from the victim’s Alexa account, and silently remove an installed skill.
