Check Point researchers have discovered security holes that allow a hacker to access personal data and voice recordings of Amazon Alexa users. A reminder about the security risks associated with connected speakers …
Practical and accessible, virtual assistants and connected speakers are used more and more by the general public. Unfortunately, these devices also represent a new attack surface for cybercriminals…
The Check Point security researchers announce have discovered several vulnerabilities potentially allowing hackers to seize personal data of users Amazon Alexa and in particular of their voice recordings…
Specifically, these security vulnerabilities were linked to subdomains of Alexa web services. The domains were vulnerable to “Cross-Site Scripting” and “Cross Original Resource Sharing” .
Alexa flaws corrected by Amazon… but are there others?
To exploit these flaws, however, a hacker should have completed several steps. It would first be necessary to trick a user into clicking on a link. This link would have directed him to the domain “track.amazon.com”, from which code could have been injected by the hacker.
Once this code has been injected, a request can be sent to another Amazon page, with the victim’s “cookers” in order to obtain a list of all Alexa skills installed on his account and a “Cross-Site Request Forgery” token.
This token would allow the villain to replace a “skill” from his victim’s list with a malicious “skill” which would activate on the first attempt to use it. The hacker would then benefit from access to the user’s voice recordings history and to their username, postal address and phone number.
Fortunately, the Check Point researchers contacted Amazon, which took care of correcting these flaws. However, this discovery demonstrates that connected speakers can provide access to particularly sensitive personal data for hackers.
You probably don’t want to that GAFAM listen to your privacy, but it can get even more embarrassing if hackers intrude as well. It is very important that manufacturers take action to avoid such a risk, and that users use these devices taking into account a potential danger …
–
