Research: Attackers Can Access Personal Information Via Alexa

Virtual assistants and IoT devices like Alexa are inherently vulnerable to cyber attacks, and hackers can use them to gather sensitive information.

Leave a Comment

Alexa and other virtual assistants are becoming a part of the workplace and conference room, but new research suggests that they may not be as secure as we thought.

Alexa, Amazon’s virtual assistant which is becoming a larger presence in the enterprise, is not immune to outside attacks because its subdomains are vulnerable to Corss-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting, Check Point researchers wrote in a new study. 

“Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf,” researchers say.

Exploiting these vulnerabilities, attackers could silently install apps on a user’s Alexa account, get a list of all installed skills on the account, silently remove a skill, get the victim’s voice history and get the victim’s personal information.

Read Next: Lifesize Brings Alexa for Business to Meeting Rooms for Hands-Free Conferencing

“In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill,” researchers wrote. “Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.”

Virtual assistants are becoming more common in both the home and workplace, so anyone using Alexa should be aware of this vulnerability and take steps to mitigate these potential attacks.

According to Check Point, IoT devices like Alexa devices still lack adequate security. That makes then attractive targets to cybercriminals.

“Cybercriminals are continually looking for new ways to breach devices, or use them to infect other critical systems,” Check Point researchers wrote. “This research presented a weak point in what is a bridge to such IoT appliances. Both the bridge and the devices serve as entry points. They must be kept secured at all times to keep hackers from infiltrating our smart homes.”

Read Check Point’s research for the extensive technical details.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!