Researchers at cybersecurity service provider Check Point discovered a vulnerability in Amazon’s virtual assistant Alexa that left the owner’s personal information vulnerable to attacks before it was patched in June. .
Researchers detailed the vulnerability in a report published Thursday, saying that potential hackers may have hijacked voice assistant devices using malicious links. by Amazon.
Once those links are clicked, hackers will be able to install or remove “Skills” – essentially apps – from the Alexa device.
They can also access a user’s voice history using their device as well as sensitive personal information such as bank data and home address.
Check Point presented the vulnerability to Amazon in June, and the company subsequently fixed the security issues. The online retail giant did not immediately respond to a request for comment from The Hill.
Experts have long warned of security flaws present in Internet-enabled devices, which are common in many American homes.
More than 200 million Alexa-enabled devices have been sold by the end of 2019, and the vulnerability in those devices could pose a serious privacy risk.
“Smart speakers and virtual assistants are so common that it is easy to ignore the amount of personal data they hold and their role in controlling other smart devices in our homes,” said Oded Vanunu , head of product vulnerability research at Check Point, said in a statement.
“But hackers see them as the entrance into people’s lives, giving them the opportunity to access data, eavesdrop on conversations or perform other malicious actions without the owner’s knowledge.”
However, Amazon insists these devices are secure.
“The security of our devices is a top priority and we appreciate the work of independent researchers like Check Point who bring us potential problems,” said the transmitter. Amazon said in a statement to The Hill. “We fixed this as soon as it was noted and we continue to strengthen our systems further. We are unaware of any instances of this vulnerability being used against our customers. us or any customer information disclosed. “