- Hackers might have had access to your Alexa voice history.
- Your home address and banking details could have been exposed as well.
- Amazon has fixed the problem but itâ€™s unclear how many users were affected.
Hackers might have heard everything youâ€™ve ever said to your Amazon Alexa device. That is if you clicked on a malicious link targeting your Alexa account.
New findings by Check Point Research reveal that Alexaâ€™s web services had flaws that hackers could have exploited to gain access to a userâ€™s voice history and personal information. If you were a victim of this hack, everything youâ€™ve ever said to Alexa or everything itâ€™s heard could be the property of a hacker right now. The vulnerability could have also exposed information such as your home address and banking details.
â€œAmazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victimâ€™s interaction with the bank skill and get their data history,â€� Check Point researchers wrote in the blog post detailing the threat.
Moreover, the vulnerabilities could have also allowed a hacker to remove a commonly used skill and replace it with a malicious skill on the targeted victimâ€™s Alexa account.
How does the Alexa hack work?
A successful hack would require the target to click on an unassuming link that looks like a regular Amazon package tracking link. Check Point reports that hackers could have exploited flaws in Amazon and Alexaâ€™s subdomains to create such malicious links.
Once clicked, the link would redirect the target to a page injected with malicious code. The attacker would then sends a special request to Alexaâ€™s skills store and fool it into believing that a legitimate user is trying to access it. Once the attacker is in, they could start deleting or installing skills, or access the targetâ€™s Alexa voice history.
What does Amazon have to say?
The good news is that Amazon has already patched the flaws. However, hackers could have been exploiting them before they were found. Itâ€™s difficult to tell how many users have been impacted.
â€œWe are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed,â€� An Amazon spokesperson told Wired.
Amazon has also denied that any banking information was exposed. The company told Wired that all banking information is redacted in Alexaâ€™s responses.
What can you do?
The incident is a reminder of how careful we need to be around our smart devices. Voice assistants are notorious for being vulnerable to malicious actors. Last year, researchers managed to trick both Alexa and Google Assistant into eavesdropping on users and voice-phishing for their passwords. Weâ€™ve also seen how hackers can take control of Siri, Alexa, and Google Assistant smart speakers using laser beams.
Needless to say, you have to be very careful about what you say to your smart speakers and voice assistants. Most smart devices come with a kill switch to stop them from listening to conversations. We suggest you use that switch generously. You should also regularly delete your conversations with Alexa and other digital assistants so that these types of hacks donâ€™t affect you.
Other than that, be extra cautious about the links you click on, change your passwords regularly, and limit confidential interactions with smart devices in general.