These vulnerabilities would have allowed an attacker to:
Silently install skills (apps) on a user’s Alexa account Get a list of all installed skills on the user’s Alexa account Silently remove an installed skill Get the victim’s voice history with their Alexa Get the victim’s personal information
In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history, and acquire personal information through skill interaction when the user invokes the installed skill. The researchers noted that hackers could get around the flaw by creating a separate Alexa skill that uses the same “invocation phrase” as a legitimate service – the series of spoken words used to trigger it. “Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
