Security bugs in Alexa cause personal data leaks of several users, report says

(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)

Researchers found security vulnerabilities in Alexa, Amazon’s AI based virtual assistant, that leave personal data of users prone to hacking.

A team of researchers from Checkpoint, a cyber-threat intelligence firm, were able to access users’ voice interaction history with Alexa, view the voice commands and Alexa’s response to them. This can even expose users’ banking history, they said.

Amazon does not record users’ banking login credentials, but it records the users’ interactions with Alexa. Attackers can access users’ chat histories and interactions with bank skills and get their data history. They can also get usernames and phone numbers, depending on the skills installed on the users’ Alexa account, said Checkpoint.

Attackers can even see home address and other information about the users from their profiles.

“As virtual assistants today serve as entry points to people’s homes appliances and device controllers, securing these points has become critical, with maintaining the user’s privacy being top priority,” Checkpoint said. This was our “entry point” and central motivation while conducting this research.

Alexa is a software agent that can process commands or questions of its users and perform specific tasks or services based on them. It is capable of voice interaction, music playback, alarm setting, and smart devices control.

Users can extend Alexa’s capabilities by installing “skills” or additional functions developed by third party vendors like weather programs and audio features.

The team of researchers could view the entire list of skills installed on the users’ Alexa account, silently remove a skill from it, and install new ones.

After performing extensive research on the security features of the Alexa app, researchers were able to describe how attackers can perform actions on the users’ devices.

Once the user clicks on a malicious link that directs them to amazon.com, the attackers can steal information from their skills page using code-injection capability.

“Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker,” Checkpoint said.

According to Checkpoint, over 200 million Alexa-powered devices were sold last year. It expected Alexa to reach over $15 billion by 2025.