New research from Check Point suggests that Alexa is not as secure as we thought.
Alexa, Amazon’s virtual assistant which is becoming a larger presence in the enterprise, is not immune to outside attacks because its subdomains are vulnerable to Corss-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting, Check Point researchers wrote.
“Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf,” researchers say.
Exploiting these vulnerabilities, attackers could silently install apps on a user’s Alexa account, get a list of all installed skills on the account, silently remove a skill, get the victim’s voice history and get the victim’s personal information.
“In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill,” researchers wrote. “Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.”
Virtual assistants are becoming more common in both the home and workplace, so anyone using Alexa should be aware of this vulnerability and take steps to mitigate these potential attacks.
According to Check Point, IoT devices like Alexa devices still lack adequate security. That makes then attractive targets to cybercriminals.
“Cybercriminals are continually looking for new ways to breach devices, or use them to infect other critical systems,” Check Point researchers wrote. “This research presented a weak point in what is a bridge to such IoT appliances. Both the bridge and the devices serve as entry points. They must be kept secured at all times to keep hackers from infiltrating our smart homes.”