‘One click’: How your Alexa could be silently hacked
Australians who own Alexa devices have been warned against a vulnerability that allowed for hackers to control the device with a single click.
Although the vulnerability has now been fixed, cyber threat intelligence research firm Check Point said it was critical that users secure their smart devices as virtual assistants are often entry points to peoples’ homes.
Intelligent virtual assistants or personal assistants such as Alexa work by performing tasks or services based on commands or questions. Users can add to Alexa’s functions by adding ‘skills’, functionalities developed by third parties.
Check Point Research showed that certain vulnerabilities would have allowed a hacker to silently install skills onto an Alexa account, or obtain a list of installed skills on the user’s account.
“In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill,” said Check Point researchers Dikla Barda, Roman Zaikin and Yaara Shriki.
And as the final icing on the cake, the hack would only be a click away.
“Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.”
According to the researchers, Check Point reported the vulnerabilities to Amazon in June and the issue has now been fixed.
What you can do to avoid being hacked
The vulnerability has reportedly been fixed, but nonetheless, Check Point head of products vulnerabilities research Oded Vanunu said users should be picky about the number of skills they install to their Alexa.
“Smart speakers and virtual assistants are so commonplace. It is easy to overlook just how much personal data they hold and their role in controlling other smart devices in our homes,” he said.
“But hackers see them as entry points into peoples’ lives. It allows them to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.
First published on Amazon Finance.
You could assist in protecting both the public and private entities as a Cyber Security Professional. Find out more about our Certificate IV in Cyber Security today.