Amazon's voice assistant, Alexa is reportedly having a bug that allows hackers to install malicious skills and spy on users' activities remotely.
According to Dikla Barda, Roman Zaikin and Yaara Shriki, all researchers at Check Point who disclosed the severe vulnerabilities in Amazon's Alexa virtual assistant, the "exploits could have allowed an attacker to remove/install skills on the targeted victim's Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill."
Amazon's Alexa Brain initiative, which is a program that tends to make the virtual assistant smarter was announced earlier, and focuses on enhancing Alexa's tracking of context with memory update; Alexa is now capable of remembering any information you demand of her, by storing and retrieving it later.
Such capabilities makes the virtual assistant a big risk when compromised, as it could end up giving out sensitive information to hackers and given that smart speakers are now so commonplace, it's hard to overlook just how much personal data they hold, and their role in controlling other smart devices.
How XSS Flaw in Amazon's Subdomains led to the Alexa Bug
The Alexa Bug stemmed from a misconfigured CORS policy in Amazon's Alexa mobile application, which potentially allowed adversaries with code-injection capabilities on Amazon subdomain to perform a cross-domain attack on any other Amazon subdomain.
And if successful exploited, it would have required only a click on an Amazon link specially crafted by the attacker to direct Alexa users to an Amazon subdomain that's vulnerable to the XSS attacks. The researchers discovered that a request to retrieve list of all the installed skills on Alexa also returns a CSRF token.
While the purpose of a CSRF token is to prevent Cross-Site Request Forgery such as used in the attacks in which a malicious link or program could cause an authenticated user's web browser to perform unwanted action on a legitimate site.
The attackers employs it to trigger a request on "skillsstore.amazon.com" subdomain with the victim's credentials to get list of all installed skills on the Alexa account and the CSRF token, eventually.
How big a risk is the Alexa Bug?
Though, Amazon doesn't record Alexa users banking login credentials, but their interactions are all recorded, and since the attackers can have access to the chat history, they can access the victim’s interaction with the bank skill and get their data history.
Also, an attacker can get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.
The research is perhaps another reason why security should be crucial in the IoT space, even as virtual assistants are becoming more pervasive, and increasingly turning out to be very lucrative targets for attackers looking to steal sensitive information and who seeks to disrupt the smart home systems.