A vulnerability was found in the voice assistant Alexa from Amazon that allows access to the personal data of its owner. Millions of users around the world are under threat.
A team of researchers from Check Point discovered a vulnerability in Alexa speakers. With its help, attackers can gain access to the user’s personal information, including his voice requests, as well as to all data of the Amazon account.
The vulnerability was found in the Alexa companion application. Using a well-known generic script to bypass the mechanism, the researchers were able to look at the application’s traffic. There they found several bugs in the Alexa web services – using them, you can access data.
To exploit this vulnerability, an attacker simply needs to send a link to the user that leads to track.amazon.com, use a cookie to replace ownership of the application, and install malicious code. This allows an attacker to gain full access to the assistant and Amazon account.
The researchers warn that voice assistants are easier to hack than conventional devices. In order to prevent hackers from gaining access to the search history, it is important to delete it. In the Alexa columns, the user just needs to say, “Alexa, delete everything I said today.” You can do the same in the Alexa companion app by going to your privacy settings.
“Smart speakers and virtual assistants seem so unremarkable that, at times, we lose sight of their role in managing a smart home, as well as how much personal data they store. For this reason, hackers see such applications as entry points into people’s lives, through which they can gain access to personal data, eavesdrop on conversations and perform other malicious actions without the user’s knowledge, ”- noted in Check Point.