Check Point Security Report Says That Amazon Alexa Were Subject To Extensive Levels Of Pwnage

A report from Check Point Security researchers paints a pretty scary picture of how secure smart home devices are. Specifically Amazon Alexa products:

Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.

These vulnerabilities would have allowed an attacker to:

  • Silently install skills (apps) on a user’s Alexa account
  • Get a list of all installed skills on the user’s Alexa account
  • Silently remove an installed skill
  • Get the victim’s voice history with their Alexa
  • Get the victim’s personal information

In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.

Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.

Now all of those issues have been fixed. But it really makes one think twice about having these devices in their homes as it seems really wrong that a third party company is doing the sort of due diligence that the makers of this gear should be doing. The thing is that companies who create these devices have to have security as the top priority if these companies want consumers to buy their gear. Thus the best way for you to get the most secure smart home gear is to demand and expect better from these companies.

2 Responses to “Check Point Security Report Says That Amazon Alexa Were Subject To Extensive Levels Of Pwnage”

  1. 40acrewoods@rogers.com Says:

    Good Morning,

    This information is very helpful, though, as one who isn’t very tech-savvy with these sort of issues, I don’t understand all the terminology.

    Questions: * *

    1.    Did these vulnerabilities apply only to Alexa?

    2.    Does Amazon own Alexa, or just provide services or products that use Alexa?

    3.     Would our could these vulnerabilities in any way affect placing online orders for other products through Amazon or Amazon Canada?

    Thank you.

    Steve

    • Hello. In answer to your questions:

      1. Yes. These only apply to Alexa products. (or applied as they have been fixed)

      2. Amazon developThe vuls and owns Alexa products.

      3. The vulnerabilities according to the researchers, an attacker automatically install Alexa skills without the knowledge of the user, acquiring a list of all installed skills, silently removing installed skills, acquiring the victim’s voice history with Alexa, and to even gain personal information. So based on that, I would be safe in saying that it would affect you ability to order from Amazon as an attacker could see what you ordered or even perhaps order on behalf of you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: