Amazon Alexa Bugs could allow hackers to install malicious skills remotely

Checkpoint researchers have found several severe vulnerabilities on Amazon Alexa and these Amazon Alexa bugs could allow hackers to perform a number of malicious attacks.

If you are using Amazon Alexa voice assistant as your smart speakers then just opening a web-link could let hackers install hacking skills on it and spy remotely on victim’s link.

Voice assistant and Smart speakers are easily available and hold so much of a user’s personal data. But hackers see them as an entry point and give them an opportunity to access user’s data or eavesdrop on conversations or perform other malicious activities.

To successfully exploit the flaw it would require just one click on an Amazon link that has been specially crafted by the attacker.

According to a report shared by Checkpoint cybersecurity researchers after successfully exploiting the flaw, an attacker could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.

Amazon has patched all the vulnerabilities after the researchers shared their findings to the company in June 2020.

Technical Details of Amazon Alexa Bugs

After successfully exploiting the SSL pinning mechanism the researchers found misconfigured CORS policy that allowed them to send ajax request from any other Amazon sub-domain allowing code-injection capabilities on one Amazon subdomain to perform a cross-domain attack on another Amazon subdomain.

PoC for the Amazon Alexa bugs

Any unknown attacker can use this CSRF token and can perform malicious actions and can install/enable new skills on victim remotely.

To successfully exploit the vulnerability the attacker needs to exploit 

XSS vulnerability in one of the subdomain’s of Amazon and victim needs to click on the specially crafted link by the attacker to achieve the code-injection.

Amazon-alexa-vulnerability
Amazon alexa vulnerability

Now after this the attacker can use the code-injection to trigger a request to skillsstore.amazon.com with the victim’s credentials.

After successfully triggering the Amazon Alexa bugs attacker can easily install and remove a skill, get victims voice history, personal information.

Need for IoT Security

Nowadays, virtual assistants are used in Smart Homes to control every day’s IoT devices such as A/C, lights, vacuum cleaners, electricity and entertainment.

And with the increase in popularity from past decades these have attracted cyber criminals.

Cybercriminals these days are taking this as an advantage to get in and exploit the vulnerabilities in IoT devices with new techniques and infect the system. They must be kept secure to keep bad actors away from infiltrating Smart Homes.

Satender Kumar

A tech Blogger always fascinated with the technology and gather as much amount of knowledge from the internet. Loves to share the knowledge with the others.

Leave a Reply

Your email address will not be published. Required fields are marked *