September 25, 2020

An Alexa vulnerability might have exposed your voice history to hackers

Be careful what you say to your smart speaker.

Echo Studio volume and alexa controls

  • Hackers might have had access to your Alexa voice history.
  • Your home address and banking details could have been exposed as well.
  • Amazon has fixed the problem but it’s unclear how many users were affected.

Hackers might have heard everything you’ve ever said to your Amazon Alexa device. That is if you clicked on a malicious link targeting your Alexa account.

New findings by Check Point Research reveal that Alexa’s web services had flaws that hackers could have exploited to gain access to a user’s voice history and personal information. If you were a victim of this hack, everything you’ve ever said to Alexa or everything it’s heard could be the property of a hacker right now. The vulnerability could have also exposed information such as your home address and banking details.

Related: Is selling your privacy for a cheaper phone really a good idea?

“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,� Check Point researchers wrote in the blog post detailing the threat.

Moreover, the vulnerabilities could have also allowed a hacker to remove a commonly used skill and replace it with a malicious skill on the targeted victim’s Alexa account.

How does the Alexa hack work?

A successful hack would require the target to click on an unassuming link that looks like a regular Amazon package tracking link. Check Point reports that hackers could have exploited flaws in Amazon and Alexa’s subdomains to create such malicious links.

Once clicked, the link would redirect the target to a page injected with malicious code. The attacker would then sends a special request to Alexa’s skills store and fool it into believing that a legitimate user is trying to access it. Once the attacker is in, they could start deleting or installing skills, or access the target’s Alexa voice history.

What does Amazon have to say?

The good news is that Amazon has already patched the flaws. However, hackers could have been exploiting them before they were found. It’s difficult to tell how many users have been impacted.

“We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed,� An Amazon spokesperson told Wired.

Amazon has also denied that any banking information was exposed. The company told Wired that all banking information is redacted in Alexa’s responses.

What can you do?

The incident is a reminder of how careful we need to be around our smart devices. Voice assistants are notorious for being vulnerable to malicious actors. Last year, researchers managed to trick both Alexa and Google Assistant into eavesdropping on users and voice-phishing for their passwords. We’ve also seen how hackers can take control of Siri, Alexa, and Google Assistant smart speakers using laser beams.

Needless to say, you have to be very careful about what you say to your smart speakers and voice assistants. Most smart devices come with a kill switch to stop them from listening to conversations. We suggest you use that switch generously. You should also regularly delete your conversations with Alexa and other digital assistants so that these types of hacks don’t affect you.

Other than that, be extra cautious about the links you click on, change your passwords regularly, and limit confidential interactions with smart devices in general.

Also read: Alexagate is a gloriously unnecessary tool to stop Amazon Echo from listening