Security bugs in Alexa cause personal data leaks of several users, report says

A team of researchers from Checkpoint, a cyber-threat intelligence firm, were able to access users’ voice interaction history with Alexa, view the voice commands and Alexa’s response to them. This can even expose users’ banking history, they said.

August 17, 2020 05:36 pm | Updated August 18, 2020 02:42 pm IST

Security vulnerabilities in Alexa can reveal users' personal data

Security vulnerabilities in Alexa can reveal users' personal data

(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)

Researchers found security vulnerabilities in Alexa, Amazon’s AI based virtual assistant, that leave personal data of users prone to hacking.

A team of researchers from Checkpoint, a cyber-threat intelligence firm, were able to access users’ voice interaction history with Alexa, view the voice commands and Alexa’s response to them. This can even expose users’ banking history, they said.

Amazon does not record users’ banking login credentials, but it records the users’ interactions with Alexa. Attackers can access users’ chat histories and interactions with bank skills and get their data history. They can also get usernames and phone numbers, depending on the skills installed on the users’ Alexa account, said Checkpoint.

Attackers can even see home address and other information about the users from their profiles.

“As virtual assistants today serve as entry points to people’s homes appliances and device controllers, securing these points has become critical, with maintaining the user’s privacy being top priority,” Checkpoint said. This was our “entry point” and central motivation while conducting this research.

Alexa is a software agent that can process commands or questions of its users and perform specific tasks or services based on them. It is capable of voice interaction, music playback, alarm setting, and smart devices control.

Users can extend Alexa’s capabilities by installing “skills” or additional functions developed by third party vendors like weather programs and audio features.

The team of researchers could view the entire list of skills installed on the users’ Alexa account, silently remove a skill from it, and install new ones.

After performing extensive research on the security features of the Alexa app, researchers were able to describe how attackers can perform actions on the users’ devices.

Once the user clicks on a malicious link that directs them to amazon.com, the attackers can steal information from their skills page using code-injection capability.

“Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker,” Checkpoint said.

According to Checkpoint, over 200 million Alexa-powered devices were sold last year. It expected Alexa to reach over $15 billion by 2025.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.