Budapest Post

Cum Deo pro Patria et Libertate
Budapest, Europe and world news
 Magyar
Amazon Alexa security bug allowed access to voice history

Amazon Alexa security bug allowed access to voice history

A flaw in Amazon's Alexa smart home devices could have allowed hackers access personal information and conversation history, cyber-security researchers say.

Attackers could install or remove apps on a device without the owner knowing, Check Point Research reports.

The hack "required just one click on an Amazon link" purposely crafted by the attacker, it says.

The firm told Amazon about the flaw, which has now been fixed.

Amazon said: "The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us."

It said it did not know of any case where a bad actor had used the vulnerability to target its customers.

In January, Amazon said there were "hundreds of millions" of Alexa devices in the world.

Malicious skills


Check Point said the hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user.

Once they clicked the link, the attacker could get a list of all installed Alexa "skills" - or apps - and steal a token allowing them add or remove skills.

One way to use the flaw would be to remove a skill and then install a malicious one that uses the same "invocation phrase" - the series of spoken words used to trigger it. This could have been done without the user knowing.

The next time the user tried to activate that skill, it would have run the attacker's app instead.

The attackers would have been able to see Alexa's voice history - a record of conversations between the user and device.

Check Point said this could create major problems, pointing to banking skills that let the user check their account balance.

"This could lead to exposure of personal information, such as banking data history," they argued - even though it does not save banking login details.

Amazon objected to this suggestion, however, saying that banking information - like balances - was redacted in the record of Alexa's responses, so it could not have been accessed.

The attack would also allow access to personal information in the Amazon profile, such as a home address, Check Point said.

Amazon also said it believed the use of a secret malicious skill was less likely than Check Point's researchers implied.



Amazon’s head of Alexa Dave Limp on privacy concerns



It said there were systems in place to prevent malicious skills from ever hitting the Alexa Skills Store - and that security reviews were part of their process.

Badly behaving apps were also routinely deactivated, it said.

"Their screening process probably would have caught most bad actors - they are quite good at that and know their reputation is at stake," said University of Surrey cyber-security expert Prof Alan Woodward.

"The thing about this hack was that it was due to a vulnerability that is well-known… so it's surprising to see it in Amazon's estate."

He said the access to voice records was a big concern, but was unsure if other hackers could have known about the vulnerabilities in specific subdomains used to launch the attack.

"Although if the security researchers found it, I'm sure less scrupulous people could have done the same."

AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Read more
Newsletter
Related Articles
Playlist Hide
0:00
0:00
Open
0:00
0:00
Close
Ukraine Declares De Facto War on Hungary and Slovakia with Terror Drone Strikes on Their Gas Lifeline
A monster hit and a billion-dollar toy empire
Animated K-pop Musical ‘KPop Demon Hunters’ Becomes Netflix’s Most-Watched Original Animated Film
Canada: Nurse Suspended and Fined 93 Thousand Dollars After Stating the World’s Most Well-Known Fact Since the Creation of Adam and Eve, That There Are Only Two Genders
Elon Musk tweeted, “Europe is dying”
Far-Right Activist Convicted of Incitement Changes Gender and Demands: "Send Me to a Women’s Prison" | The Storm in Germany
Hungary Criticizes Ukraine: "Violating Our Sovereignty"
Will this be the first country to return to negative interest rates?
U.S. Treasury Secretary Whitney Bessent Backs Stablecoins to Boost Treasury Demand
Spain to Declare Disaster Zones After Massive Wildfires
Three-Minute Battery Swap Touted as Future of EVs
Beijing Military Parade to Showcase Weapons Advances
U.S. Tech Stocks Slide on AI Boom Concerns
White House Confirms Talks Over Intel Stake
Trump Suggests U.S. Could Support Ukraine ‘By Air’
Trump Called Viktor Orbán: "Why Are You Using the Veto"
Horror in the Skies: Plane Engine Exploded, Passengers Sent Farewell Messages
AI in Policing: Draft One Helps Speed Up Reports but Raises Legal and Ethical Concerns
Shame in Norway: Crown Princess’s Son Accused of Four Rapes
Apple Begins Simultaneous iPhone 17 Production in India and China
A Robot to Give Birth: The Chinese Announcement That Shakes the World
Finnish MP Dies by Suicide in Parliament Building
Outrage in the Tennis World After Jannik Sinner’s Withdrawal Storm
Class Action Lawsuit Against Volkswagen: Steering Wheel Switches Cause Accidents
UK Government Tries to Sue 4chan for Breaching Online Safety Act
Dogfights in the Skies: Airbus on Track to Overtake Boeing and Claim Aviation Supremacy
Tim Cook Promises an AI Revolution at Apple: "One of the Most Significant Technologies of Our Generation"
Are AI Data Centres the Infrastructure of the Future or the Next Crisis?
Miles Worth Billions: How Airlines Generate Huge Profits
Cambridge Dictionary Adds 'Skibidi,' 'Delulu,' and 'Tradwife' Amid Surge of Online Slang
Zelenskyy Returns to White House Flanked by European Allies as Trump Pressures Land-Swap Deal with Putin
The CEO Who Replaced 80% of Employees for the AI Revolution: "I Would Do It Again"
"Every Centimeter of Your Body Is a Masterpiece": The Shocking Meta Document Revealed
Character.ai Bets on Future of AI Companionship
China Ramps Up Tax Crackdown on Overseas Investments
Japanese Office Furniture Maker Expands into Bomb Shelter Market
Intel Shares Surge on Possible U.S. Government Investment
Hurricane Erin Threatens U.S. East Coast with Dangerous Surf
EU Blocks Trade Statement Over Digital Rule Dispute
EU Sends Record Aid as Spain Battles Wildfires
Beijing is moving into gold and other assets, diversifying away from the dollar
China Requires Data Centres to Source Majority of AI Chips Locally, For Technological Sovereignty
Escalating Clashes in Serbia as Anti-Government Protests Spread Nationwide
Category 5 Hurricane in the Caribbean: 'Catastrophic Storm' with Winds of 255 km/h
Trump Backs Putin’s Land-for-Peace Proposal Amid Kyiv’s Rejection
Digital Humans Move Beyond Sci-Fi: From Virtual DJs to AI Customer Agents
YouTube will start using AI to guess your age. If it’s wrong, you’ll have to prove it
Jellyfish Swarm Triggers Shutdown at Gravelines Nuclear Power Station in Northern France
OpenAI’s ‘PhD-Level’ ChatGPT 5 Stumbles, Struggles to Even Label a Map
Zelenskyy to Visit Washington after Trump–Putin Summit Yields No Agreement
×