A recent Alexa hack revealed several vulnerabilities in Amazon’s Alexa, as reported by Check Point Security researchers. An alarming amount of Amazon and Alexa subdomains were vulnerable to a Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting (XSS). According to the researchers, the hackers tricked the Amazon servers by utilizing a script that allowed them to have access to the smart home ecosystem and installation, permitting the perpetrators to install Alexa skills, without user consent or knowledge.
Check Point Security noted, that skill manipulation on an Amazon device, can lead to the acquisition of an existing list of installed skils, the user’s voice history, and patterns, personal data, and search history. These types of hacks can lead down a very dark path, with every interaction recorded and archived. For example, Amazon does not record your banking login information, but a hacked device will do this. If a device is compromised, the attacker can gain access to the user’s interaction with the bank skill and get their data history.
Virtual assistants are used in Smart Homes to control everyday IoT devices, growing in popularity in the last years. With a new product on the market, malicious groups or individuals are going to take advantage of vulnerabilities. This incident was discovered and patched in June, but the lack of adequate security, makes them attractive targets to threat actors.