Check Point Press Releases

Turning Alexa Bad: Check Point Research Finds Vulnerabilities in Certain Amazon Alexa Subdomains

Researchers demonstrate how hackers could remove/install skills on a victim’s Alexa account, access voice histories, and personal information


San Carlos, CA  —  Thu, 13 Aug 2020

Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, recently identified security vulnerabilities in certain Amazon/Alexa subdomains that would have allowed a hacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and personal data. The attack required a single click by the user on a malicious link crafted by the hacker and voice interaction by the victim.

With over 200 million sold globally, Alexa is capable of voice interaction, setting alerts, music playback, and controlling smart devices in a home automation system. Users can extend Alexa’s capabilities by installing ‘skills.’ which are voice-driven apps. However, the personal information stored in users’ Alexa accounts and the device’s use as a home automation controller makes them an attractive target for hackers.

Check Point researchers demonstrated how the vulnerabilities they found in certain Amazon/Alexa subdomains could be exploited by a hacker crafting and sending a malicious link to a target user, which appears to come from Amazon.  If the user clicks the link, the attacker can then:

  • Access a victim’s personal information, such as banking data history, usernames, phone numbers and home address
  • Extract a victim’s voice history with their Alexa
  • Silently install skills (apps) on a user’s Alexa account
  • View the entire skill list of an Alexa user’s account
  • Silently remove an installed skill

“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point.  “We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy. Previously, we conducted research on Tiktok, WhatsApp and Fortnite. Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”

Amazon fixed this issue soon after it was reported.

 

For details of the vulnerabilities and a video showing how they could have been exploited, visit https://research.checkpoint.com

 

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch_

 

About Check Point Research

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud AI to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

 

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to governments and corporate enterprises globally. Its solutions protect customers from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and other types of attacks. Check Point offers multilevel security architecture, “Infinity” Total Protection with Gen V advanced threat prevention, which defends enterprises’ cloud, network and mobile device held information. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.

 

×
  フィードバック
このWebサイトは、機能性と分析およびマーケティングの目的でCookieを使用しています。Webサイトを引き続きご利用いただくことで、Cookieの使用に同意したことになります。詳細については、Cookieに関する通知をお読みください。
OK