Your reliable at-home electronic secretary may not be as trustworthy as you think it is. Recently, hackers picked Amazon’s Alexa as their latest hacking scheme. As Amazon “staff,” they will answer, email a connection to the network, and provide all the info on you that Amazon Echo has in-store.
Has Alexa lost her mind?
Security experts have discovered a recently detected vulnerability in the Amazon voice command program. The assault hits just over 200 million Alexa users on devices with Amazon Echo.
Hacking is just simple. Hackers will talk to you through Alexa to know your personal info. Researchers said threat actors are inputting vulnerability code inside the Echo network.
To explain, the malware does not control the records on Amazon Echo or Alexa. However, the issue starts when hackers send out an email posing as Amazon. Just click the link on the email, and Alexa will direct the user to the “program.”
The “trusty assistant” will then talk about your personal information such as home addresses, phone numbers, banking accounts, or even bank records.
“Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting. Using the XSS, we were able to get the CSRF token and perform actions on the victim’s behalf,” said Check Point.
The entire list reads as follows:
- Access the personal records of the target. These include banking details, online account usernames, phone numbers and home address;
- Extract and listen to voice recordings from previous Alexa requests;
- Silently update the skills on the Alexa account and ‘secretly’ add new features;
- Display the entire list of Alexa capabilities currently linked to the target ‘s account; and
- Quietly uninstall an activated capability to save it from working.
Amazon has yet to comment about the possible security risks to users of Alexa. However, the eCommerce giant had already resolved the problems.
Was Alexa manipulated?
Like other apps, Amazon’s Echo can be compromised by malicious threat actors, too.
Last year, Forbes claimed that a laser can manipulate Amazon Alexa. ‘Warm Orders’ is one of the actors’ most popular hacking techniques.
The light will relay the same signal from the speakers and imitate the laser beam’s voice.
“It’s just the sort of vulnerability that designers, even those with great threat models, don’t think about. It just goes to show that the threat can evolve, and so should your threat model,” said Professor Alan Woodward, a security expert from the University of Surrey.
How to protect your Amazon Echo from hackers?
Turn off your Echo’s mic
Any Echo unit’s most weak component is the microphone. That part absorbs all the sound in the room. It also could disrupt your private communications if the system picks up the wrong terms. Click the Off / On button on top of the unit to shut off the Echo’s microphone. Alexa can’t receive commands if the microphone is muted.
Disable voice purchasing or set up a PIN code for purchases
Asking Alexa to purchase more laundry detergent is a neat trick. However, it becomes a huge draw for people who enjoy shopping online for household products, though. A single lack of security could cost you dearly.
When you do want the ease of Echo voice purchasing (and the sci-fi vibe), set up a PIN code to deter illegal transactions. To set it up, go to the same Voice Buying settings page on your Alexa app, click Purchase by Voice” to On, then toggle “Voice Code” to On as well. You will then be asked to type the four-digit PIN code.