Enlarge / An Amazon Echo, specifically its top control buttons for volume, mic off, and Alexa action. (credit: Valentina Palladino)
Smart-assistant devices have had their share of privacy missteps, but they're generally considered safe enough for most people. New research into vulnerabilities in Amazon's Alexa platform, though, highlights the importance of thinking about the personal data your smart assistant stores about you—and minimizing it as much as you can.
Findings published on Thursday by the security firm Check Point reveal that Alexa's Web services had bugs that a hacker could have exploited to grab a target's entire voice history, meaning their recorded audio interactions with Alexa. Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the "skills," or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack.
"Virtual assistants are something that you just talk to and answer, and usually you don’t have in your mind some kind of malicious scenarios or concerns," says Oded Vanunu, Check Point's head of product vulnerability research. "But we found a chain of vulnerabilities in Alexa's infrastructure configuration that eventually allows a malicious attacker to gather information about users and even install new skills."
Read 9 remaining paragraphs | Comments