Budapest Post

Cum Deo pro Patria et Libertate
Budapest, Europe and world news

Amazon Alexa security bug allowed access to voice history

Amazon Alexa security bug allowed access to voice history

A flaw in Amazon's Alexa smart home devices could have allowed hackers access personal information and conversation history, cyber-security researchers say.

Attackers could install or remove apps on a device without the owner knowing, Check Point Research reports.

The hack "required just one click on an Amazon link" purposely crafted by the attacker, it says.

The firm told Amazon about the flaw, which has now been fixed.

Amazon said: "The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us."

It said it did not know of any case where a bad actor had used the vulnerability to target its customers.

In January, Amazon said there were "hundreds of millions" of Alexa devices in the world.

Malicious skills


Check Point said the hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user.

Once they clicked the link, the attacker could get a list of all installed Alexa "skills" - or apps - and steal a token allowing them add or remove skills.

One way to use the flaw would be to remove a skill and then install a malicious one that uses the same "invocation phrase" - the series of spoken words used to trigger it. This could have been done without the user knowing.

The next time the user tried to activate that skill, it would have run the attacker's app instead.

The attackers would have been able to see Alexa's voice history - a record of conversations between the user and device.

Check Point said this could create major problems, pointing to banking skills that let the user check their account balance.

"This could lead to exposure of personal information, such as banking data history," they argued - even though it does not save banking login details.

Amazon objected to this suggestion, however, saying that banking information - like balances - was redacted in the record of Alexa's responses, so it could not have been accessed.

The attack would also allow access to personal information in the Amazon profile, such as a home address, Check Point said.

Amazon also said it believed the use of a secret malicious skill was less likely than Check Point's researchers implied.



Amazon’s head of Alexa Dave Limp on privacy concerns



It said there were systems in place to prevent malicious skills from ever hitting the Alexa Skills Store - and that security reviews were part of their process.

Badly behaving apps were also routinely deactivated, it said.

"Their screening process probably would have caught most bad actors - they are quite good at that and know their reputation is at stake," said University of Surrey cyber-security expert Prof Alan Woodward.

"The thing about this hack was that it was due to a vulnerability that is well-known… so it's surprising to see it in Amazon's estate."

He said the access to voice records was a big concern, but was unsure if other hackers could have known about the vulnerabilities in specific subdomains used to launch the attack.

"Although if the security researchers found it, I'm sure less scrupulous people could have done the same."

AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Newsletter

Related Articles

0:00
0:00
Close
16 Billion Login Credentials Leaked in Unprecedented Cybersecurity Breach
Senate hearing on who was 'really running' Biden White House kicks off
Hungary Ranked Among the World’s Safest Travel Destinations for 2025
G7 Leaders Fail to Reach Consensus on Key Global Issues
FBI and Senate Investigate Allegations of Chinese Plot to Influence the 2020 Election in Biden’s Favor Using Fake U.S. Driver’s Licenses
Trump Demands Iran's Unconditional Surrender Amid Escalating Conflict
Shock Within Iran’s Leadership: Khamenei’s Failed Plan to Launch 1,000 Missiles Against Israel
Wreck of $17 Billion San José Galleon Identified Off Colombia After 300 Years
Man Convicted of Fraud After Booking Over 120 Free Flights Posing as Flight Attendant
Iran Launches Extensive Missile Attack on Israel Following Israeli Strikes on Nuclear Sites
Beata Thunberg Rebrands as Beata Ernman Amidst Sister's Activism Controversy
Hungarian Parliament Approves Citizenship Suspension Law
Prime Minister Orbán Criticizes EU's Ukraine Accession Plans
Hungarian Delicacies Introduced to Japanese Market
Hungary's Industrial Output Rises Amid Battery Sector Slump
President Sulyok Celebrates 15 Years of Hungarian Unity Efforts
Hungary's Szeleczki Shines at World Judo Championships
Visegrád Construction Trends Diverge as Hungary Lags
Hungary Hosts National Quantum Technology Workshop
Hungarian Animation Featured at Annecy Festival
Israel Issues Ultimatum to Iran Over Potential Retaliation and Nuclear Facilities
UK and EU Reach New Economic Agreement
Coinbase CEO Warns Bitcoin Could Supplant US Dollar Amid Mounting National Debt
Trump to Iran: Make a Deal — Sign or Die
Operation "Like a Lion": Israel Strikes Iran in Unprecedented Offensive
Israel Launches 'Operation Rising Lion' Targeting Iranian Nuclear and Military Sites
UK and EU Reach Agreement on Gibraltar's Schengen Integration
Israeli Finance Minister Imposes Banking Penalties on Palestinians
U.S. Inflation Rises to 2.4% in May Amid Trade Tensions
Trump's Policies Prompt Decline in Chinese Student Enrollment in U.S.
Global Oceans Near Record Temperatures as CO₂ Levels Climb
Trump Announces U.S.-China Trade Deal Covering Rare Earths
Smuggled U.S. Fuel Funds Mexican Cartels Amid Crackdown
Austrian School Shooting Leaves Nine Dead in Graz
Bezos's Lavish Venice Wedding Sparks Local Protests
Europe Prepares for Historic Lunar Rover Landing
Italian Parents Seek Therapy Amid Lengthy School Holidays
British Fishing Vessel Seized by France Fined €30,000
Dutch Government Collapses Amid Migration Policy Dispute
UK Commits to 3.5% GDP Defence Spending Under NATO Pressure
Germany Moves to Expedite Migrant Deportations
US Urges UK to Raise Defence Spending to 5% of GDP
Israeli Forces Intercept Gaza-Bound Aid Vessel Carrying Greta Thunberg
IMF Warns of Severe Global Trade War Impacts on Emerging Markets
Low Turnout Jeopardizes Italy's Citizenship Reform Referendum
Transatlantic Interest Rate Divergence Widens as Trump Pressures Powell
EU Lawmaker Calls for Broader Exemptions in Supply Chain Legislation
France's Defense Spending Plans Threatened by High National Debt
European Small-Cap Stocks Outperform U.S. Rivals Amid Growth Revival
Switzerland Proposes $26 Billion Capital Increase for UBS
×