Security firm Check Point Security discovered vulnerabilities in Amazon’s Alexa personal assistant that could be exploited by cybercriminals and result in massive data theft.
According to the report, published by Wired, Alexa’s web services had a number of bugs that allowed it to collect a user’s entire voice command history, plus other profile information, including their home address. At worst, the wizard’s abilities could also be accessed and replaced by malware that would do even more harm to the victim.
The flaw is considered serious, and exploiting the vulnerability first involved a targeted hit via links. Code injection could be done on Amazon’s own subdomains, such as a package tracking page.
As the security of smart devices in the Amazon Echo family is not that sophisticated and they accumulate a lot of important information, the attack could be carried out almost unnoticed. Even bank details would end up exposed — something that has been disputed by the company itself, which claims they remain confidential.
Although worrying, the situation was already resolved by Amazon before the publication of the report, with all vulnerabilities already properly closed.
Amazon, in turn, disputes Check Point Security’s findings. Check out the full positioning:
“The security of our devices is a priority and we appreciate the work of independent researchers like Check Point, who bring us questions like this. We fixed this issue as soon as we became aware of it and continued to further strengthen our systems. We are not aware of any instances of this vulnerability being used against our customers or of any customer information being exposed.”
This news was updated at 5:45 pm to include Amazon’s official positioning.
Check Point Security