Researchers at cybersecurity company Check Point have just revealed a critical vulnerability in Alexa, the famous personal assistant at Amazon that also equips the Echo family of smart speakers. According to analysts, a breach in the company's domains allowed criminals to send malicious links to victims who, if accessed, would allow the hacking of the user's Alexa device or Alexa account.
- Amazon launches Alexa in Portuguese and Echo line in Brazil
- Tests show how Google Assistant and Alexa are used to steal passwords
- Brazilian court condemns Amazon to provide hacker data that hacked Alexa
Once the attacker has invaded the assistant, the attacker would be able to access personal information (including bank details), extract the history of voice commands, install or delete additional resources (the famous “skills”) and view the complete list of Internet devices of Things (IoT) associated with the user's profile. Since Echo devices are used for home automation, such attacks can even culminate in physical crimes.
"Smart speakers and virtual assistants are so common that it is very easy to ignore the amount of personal data they have, as well as their role in controlling other smart devices in our homes," says Oded Vanunu, head of vulnerability research at Check Point product. The executive points out that the study was done to draw attention to the lack of protection of this type of device.
"Cybercriminals, on the other hand, see them as entry points to access people's lives, giving them the opportunity to obtain data, listen to conversations or perform other malicious actions without the owner noticing", concludes the expert. Check Point, Amazon quickly corrected the flaws after receiving a formal notification, but it is difficult to know if such a technique was already being exploited by criminals until then.