Alexa, how could you?
Noting that Alexa has now become the gateway to all sorts of personal information as well as control over household items, Check Point’s software researchers, in a blog post published on Thursday (Aug. 13), detailed how they probed the system for vulnerabilities.
In particular, Check Point said it was able to use Cross Site Scripting, or XSS, to obtain the Cross-Origin Resource Sharing token, crack an Alexa account and “perform actions on the victim’s behalf.” XSS enables an attacker to insert malicious scrips into a victim’s web browser.
The Check Point team discovered they were able to tap into Alexa users’ personal information, retrieve their voice history with Alexa and call up all the list of installed skills in the specific account. In addition, the software troubleshooters were able to “silently install” skills, or apps, on the user’s Alexa account.
Once the hacker is in, accessing a victim’s Alexa account could become as easy as “one click on an Amazon link that has been specially crafted by the attacker,” Check Point noted in its blog post. “In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.
The Check Point researchers – Dikla Barda, Roman Zaikin and Yaara Shriki – noted that they decided to probe and highlight Alexa’s vulnerabilities at a time when the global smart speaker market is poised to double to $15.6 billion by 2025.
By the end of the year, more than 200 million Alexa-powered devices will have been sold, Check Point notes.
Still, criminals interested in using Alexa to scam people out of their hard-earned money aren’t always using very sophisticated measures.
Amazon recently filed suit against two companies, alleging that a fraudulent global tech support scheme targeted customers by offering to set up Alexa-enabled Echo smart speakers at home with faux Amazon apps, and then charging them $150 for the fake service.