After identifying 400 vulnerabilities affecting Qualcomm chipsets present on millions of Android smartphones, researchers at Check Point have discovered some dangerous vulnerabilities present on Amazon Alexa.
Researchers have identified security vulnerabilities in some Amazon / Alexa subdomains that could help hackers take control of a user’s Alexa account without them noticing.
To fall into the hacker’s trap, users only have to click on a fake Amazon link that has been specially crafted by the attacker. Once clicked on the link, the user opened the doors to the hacker who could manage the victim’s Alexa profile.
Alexa user profile under attack
Check Point has explained quite thoroughly how the team discovered vulnerabilities work.
The issue involved some unprotected Amazon / Alexa subdomains that allowed hackers to take control of an Alexa account remotely. In order to exploit these vulnerabilities, a hacker had to convince a user to click on a link that appeared to be from Amazon but was actually corrupted.
If the person clicks on the link, the hacker can:
- Access the victim’s personal information, such as banking history, usernames, phone numbers and home address.
- Extract the history of a victim’s voice commands.
- Silently install skills on a user’s Alexa account.
- View the entire skill list of an Alexa user account.
- Silently remove an installed skill.
Check Point researchers underline that the vulnerabilities were very dangerous because Alexa is now widespread in many devices around the world, and some users may fall into the hacker trap.
Check Point researchers have notified Amazon about the security flaw, and the prompt intervention of Amazon technicians have now fixed the problem.