View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 17, 2020

How Easy Was it For Researchers to Hack into Alexa?

By claudia glover

During routine tests, researchers at cyber security company Check Point found that through certain vulnerable Amazon Alexa subdomains, it is not just possible but actually fairly easy to hack into the AI personal assistant. (The vulnerabilities were reported to Amazon in June and have since been patched). 

The researchers explained in a report released by the company that by using some publicly available tools, security researchers were capable of silently installing or removing apps from a user’s account, accessing the user’s entire voice history and all of their personal information: “As virtual assistants today serve as entry points to people’s homes appliances and device controllers” they explained: “Securing these points has become critical, with maintaining the user’s privacy being top priority. 

“This was our “entry point” and central motivation while conducting this research”.

How Researchers Hacked Alexa

Researchers began their testing with the Alexa Mobile Application, and found that there was an SSL pinning mechanism implemented which prevented them from inspecting the traffic. However, by using a well-known Frida SSL universal unpinning script, they could bypass the SSL Pinning pretty quickly, and view the traffic in clear text. 

While analysing the traffic, researchers found that several requests made by the app had misconfigured the CORS policy (a mechanism that gives secure access to another domain outside its own) which would allow the sending of Ajax requests from any other Amazon subdomain.  This vulnerability opens the door to attackers with code-injection capabilities on one Amazon subdomain to perform a cross domain attack on another Amazon subdomain. 

Read This:AWS Customers are Opting in to Sharing AI Data Sets with Amazon Outside their Chosen Regions and Many Didn’t Know

From this point the attacker is able to trigger an error response from the server. This response provides code that can be manipulated and used to trigger the Ajax request back to Amazon for the victim’s credentials. This is where it gets interesting.

The Ajax request sends cookies to and steals the csrf token, a line of complex code generated for a page you want to protect. Armed with the code the threat actor can perform a CSRF attack and silently install a skill to the victim’s Alexa account. From here the attacker can gain access to pretty much anything connected to the victim’s Alexa. Through access to things like chat history, it can be easy to get hold of banking credentials and other sensitive data. Home addresses and other valuable information will also feature prominently on a chat history. 

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

There is a small window in which to act, however, as Amazon conducts security reviews as part of skill certification and continually monitors live skills for potentially malicious behaviour. Any offending skills that are blocked during certification or quickly deactivated. 

“Virtual assistants are used in Smart Homes to control everyday IoT devices such as lights, A/C, vacuum cleaners, electricity and entertainment” the report notes.

“They grew in popularity in the past decade to play a role in our daily lives, and it seems as technology evolves, they will become more pervasive.

“IoT devices are inherently vulnerable and still lack adequate security, which makes them attractive targets to threat actors. Cybercriminals are continually looking for new ways to breach devices, or use them to infect other critical systems”. 

Don’t Leave Before You’ve Read This: Why COVID-19 Has Spurred Innovation in Proptech

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.