Alexa, have you been hacked?
Many of us use Amazon’s Alexa in our homes. We listen to music, connect our lights, heating, bank accounts and more to our Amazon Alexa accounts, and you can turn them on or off with a simple voice command.
Have you ever wondered what if every time you add a new skill to your Amazon Alexa you are giving an attacker access to your personal information?
CheckPoint Research discovered a backdoor into Amazon Alexa accounts, which may allow an attacker to silently add or remove skills, get your voice history (including recordings or transcripts of Alexa telling you your bank balance), and even read the personal information you have in your Alexa account.
A weakness in the Cross-Origin Resource Sharing (CORS) and Cross Site Scripting (XSS) may allow attackers to create harmful tokens which they could then add as a link to your Amazon Alexa account wrapped up as a skill. When you used that skill, they could access your account. (Amazon has since repaired this vulnerability.) Scarily simple.
Cybercriminals are always looking for new ways to hack into more devices and steal your data. Remember that data breaches are not limited to PCs or phones – always secure your smart home devices, to make sure you are not letting them in the back door while locking the front.