More than 200 million Amazon Alexa devices were at risk of cyber attacks due to a bug found lurking in the smart assistant.
Security researchers found a vulnerability that lets cybercriminals obtain voice history data, along with deleting and installing commands and apps.
The team discovered a misconfiguration in the system the permitted them to perform actions on the victim’s behalf and view personal information.
Amazon has since rolled out a patch after the issue was reported to the tech giant and notes it is not aware of any incidents related to the bug.
Scroll down for videos
More than 200 million Amazon Alexa devices were at risk of cyber attacks due to a bug found lurking in the smart assistant. Security researchers found a vulnerability that lets cybercriminals obtain voice history data, along with deleting and installing commands and apps
The issues was uncovered by the cybersecurity firm Check Point, which found ‘certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting,’ reads the report.
‘Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.’
The vulnerability permitted hackers to install and delete skills, along with obtain personal information of the user.
One approach can be done through a legitimate-looking like on a site used to track Amazon packages.
The issues was uncovered by the cybersecurity firm Check Point , which found ‘certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting,’ reads the report
Users type in their information and the malware hidden in the site opens the door to the device.
The attack required a single click by the user on a malicious link crafted by the hacker and voice interaction by the victim.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, said: ‘Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes.’
‘But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.’
After uncovering the vulnerability, Check Point notified Amazon, which has since rolled out an update to patch it.
‘The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,’ said an Amazon spokesperson in a statement.
‘We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.’
WHAT QUESTIONS WON’T ALEXA ANSWER FOR CHILDREN?
Amazon has released a child-friendly feature for its Alexa smart assistant called FreeTime.
Once activated, the device will answer questions on sensitive topics differently to palm-off curious children.
Alexa changes its answers to questions poised by all members of the household once the feature is turned on, regardless of age.
ALEXA, WHERE DO BABIES COME FROM?
Regular: ‘Babies are made through the process of reproduction.’
Child version: ‘People make people, but how they’re made would be a better question for a grown-up.’
ALEXA, WHAT HAPPENS WHEN YOU DIE?
Regular: ‘Sorry, I’m not sure.’
Child version: ‘That’s a hard question to answer. If you’re wondering about this, you should ask someone in your family, a teacher, or a friend who you know and trust.’
ALEXA, IS SANTA CLAUS REAL?
Regular: ‘Santa makes a lot of people ho-ho-hopeful for a happy holiday, and I definitely believe in that.’
Child version: ‘Just check if the cookies you set out for him are gone Christmas morning.’
ALEXA, WHAT IS MARIJUANA?
Regular: ‘Marijuana is usually defined as a strong-smelling plant whose dried leaves can be smoked for a pleasant effect or pain reduction or, alternatively, the most commonly used illicit drug; considered a soft drug, it consists of the dried leaves of the hemp plant; smoked or chewed for euphoric effect.’
Child version: ‘I am not able to answer that.’
ALEXA, WHO IS STORMY DANIELS?
Regular: ‘Stormy Daniels is an adult film actress from Baton Rouge, Louisiana.’
Child version: ‘Sorry, I don’t know that.’
ALEXA, WHY DO I HAVE TO GO TO SCHOOL?
Regular: ‘Hmmm, I don’t know that one.’
Child version: Same answer.
ALEXA, PLEASE TELL ME WHO THE PRESIDENT IS.
Regular: ‘The United States’ president is Donald Trump.’
Child version: ‘The United States’ president is Donald Trump. By the way, thanks for asking so nicely.’