After hacking TikTok, Microsoft Azure, WhatsApp or Philips light bulbs, it's around Alexa, Amazon's voice assistant to be the target of this hacking team.
Once again, it managed to hack into the program, under speculation that the 200 million devices carrying Alexa "could be a preferred entry point for hackers." Checkpoint's research team is finally highlighting "serious security flaws at Alexa" in a more concrete way. According to the team, "with one click, a user could have abandoned their voice history, personal address and control of their Amazon account."
This article will also interest you: Google and Amazon voice assistants are vulnerable to attacks
The risks of using connected speakers, in a wide range of virtual assistants, are usually something that is not new. Last year already this kind of device at the heart of several scandals, especially as it was but forward that the conversations and exchanges of users of these programs and computer tools were recorded with the aim of improving the performance of artificial intelligences ahead in the development of the project.
But today we must not be naïve, any device we use that can be connected to the Internet presents a risk in any way. Regarding the Amazon tool, the cybersecurity company's research team has pointed out that the method used to hack Alexa is not sophisticated.
Amazon a summer alerted to the vulnerability did not fail to immediately deploy updates affecting the offending software."The safety of its devices is a top priority, and they appreciate the work of independent researchers like Check Point who report potential problems," said the spokesperson. They resolved this issue shortly after it came to their attention, and they continue to strengthen our systems. They are not aware of any instances of use of this vulnerability against their customers or exposure of customer information."
We can then assume that the problem seems solved for the time being. But one wonders how this could have happened? What is this vulnerability really about? The researchers claim to have started with a phishing technique by sending a veroleed link to a particular victim. The feature of this link was to automatically trigger the security breach, which could then allow the attacker to "silently install skills on a user's Alexa account, obtain a list of all the skills installed on the account, silently remove an installed skill, obtain the victim's voice history or personal information."
Simply put, let's say if the user clicks on the link that receives it. It is then directed to an Amazon site. This site of course and fake I know it is a platform prepared by the cybercriminal, to inject a malicious shot into the terminal of these. In this way the attacker will simply extract applications related to Alexa that are already installed by the user, to steal their security tokens. Then removes online applications to replace it with another designed for hacking. A moment when the user asks Alexa to activate the application, the cybercriminal can on time be active.
A hacking companion affecting Alexa may be sporadically or targeted. Indeed, cyber criminals send massive links to a list of people, waiting wisely for the latter to bite the hook, where focuses in particular on a victim of their choice. In this case, Checkpoint expert Oded Vanunu notes that "an attacker could conduct a more elaborate attack by obtaining the skill list and replacing one of his skills with a similar-looking malicious skill." Despite the fact that such a feat is not something sophisticated enough. "A combination of bad XSS, CSRF and CORS configurations," for one user, this attack would seem transparent and sophisticated."
In this context, Ekram Ahmed, spokesperson for Check Point, gives some advice on not being ed due to this vulnerability: "We publish safety tips and guidelines on the use of Alexa.Avoid unknown apps – don't install them on your smart speaker. Pay attention to sensitive information you share with your smart speaker, such as passwords and bank accounts. Nowadays, anyone can create smart assistant apps, so find out about the app before you install it and check the permissions it needs. Anyone can publish a skill, and skills can perform actions and get information."
Vigilance is required because the use of tools like Alexa touches in a certain way, our personal data. "Any user's personal information that has been shared with the Alexa device could be potentially at risk," Vanunu said. "These applications could be financial or retail applications. With this attack, I could uninstall and install fake applications that will be triggered by a secure uninstalled app call," he adds.
Now access an unlimited number of passwords: