Security experts have discovered a gap in Amazon’s Alexa voice app, according to international media newowin news. Check Point Research said the attacker may obtain personal information from the user when exploiting the vulnerability, including Amazon account information and voice history.
Alexa Smartphone developers found this vulnerability while researching devices. They used a script to bypass the application traffic-protecting mechanism which allowed them to display the application in clear text. They also discovered that some requests received by the user had protocol misconfigurations that could allow them to circumvent the rules and send requests from hostile party-controlled domains.
Bad guys in the real world that convince naive consumers to click on a suspicious connection to Amazon, which actually has the capability to inject malware. The attacker can obtain a list of the apps and features that the user has installed on Alexa once clicked on them. Moreover, they can also remotely install and activate new skills for victims. Many more extreme attackers will get their speech history and personal details from the Alexa account of the user.
In a press release, Oded Vanunu, Head of Consumer Vulnerability Testing at Check Point, said: “Smart speakers and virtual assistants are so ubiquitous that we can easily disregard the personal details they have and how they influence other smart devices in our homes. Yet hackers see it as a gateway into the lives of people, allowing them the ability to access info, conversation eavesdrop, or do other malicious acts without the knowledge of the user.
Vanunu noted that Amazon’s consulting company revealed this vulnerability in June and the latter has replied to repair it. “We performed this work to underline how necessary it is to encrypt these apps and preserve consumer privacy. Luckily, Amazon replied immediately and our leaks and closed certain bugs on some subdomains of Amazon / Alexa.”