Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Bug Security

An Alexa Bug Could Have Exposed Your Voice History To Hackers (wired.com) 42

An anonymous reader quotes a report from Wired: Findings published on Thursday by the security firm Check Point reveal that Alexa's Web services had bugs that a hacker could have exploited to grab a target's entire voice history, meaning their recorded audio interactions with Alexa. Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the "skills," or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack. [...] For an attacker to exploit the vulnerabilities, they would need first to trick targets into clicking a malicious link, a common attack scenario. Underlying flaws in certain Amazon and Alexa subdomains, though, meant that an attacker could have crafted a genuine and normal-looking Amazon link to lure victims into exposed parts of Amazon's infrastructure. By strategically directing users to track.amazon.com -- a vulnerable page not related to Alexa, but used for tracking Amazon packages -- the attacker could have injected code that allowed them to pivot to Alexa infrastructure, sending a special request along with the target's cookies from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page.

At this point, the platform would mistake the attacker for the legitimate user, and the hacker could then access the victim's full audio history, list of installed skills, and other account details. The attacker could also uninstall a skill the user had set up and, if the hacker had planted a malicious skill in the Alexa Skills Store, could even install that interloping application on the victim's Alexa account. Both Check Point and Amazon note that all skills in Amazon's store are screened and monitored for potentially harmful behavior, so it's not a foregone conclusion that an attacker could have planted a malicious skill there in the first place. Check Point also suggests that a hacker might be able to access banking data history through the attack, but Amazon disputes this, saying that information is redacted in Alexa's responses.
"The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," an Amazon spokesperson told WIRED in a statement. "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."
This discussion has been archived. No new comments can be posted.

An Alexa Bug Could Have Exposed Your Voice History To Hackers

Comments Filter:
  • no alexa (Score:3, Insightful)

    by awwshit ( 6214476 ) on Monday August 17, 2020 @10:41PM (#60413357)

    No Alexa, no problem.

    • I've inserted ;-) Alexa into my !NSFW! Real Doll !NSFW! [realdoll.com]. Could this be a problem?

      Meanwhile in other news... [nypost.com]
    • Agreed. Every new compromise highlights just how little Amazon cares about your privacy.

      I mean seriously - why is Alexa even storing your voice history? Maybe there's some benefit to storing a very brief history to apply statistical analysis to improve service, but what I said six months ago is completely irrelevant to satisfying my current request.You want to keep potentially sensitive information secure on an internet connected device? Delete it. Or better yet, don't store it in the first place. Ther

  • by Anonymous Coward
    Simply shocked that Set-Cookie headers with a wildcard domain could be used to attack another part of that domain's infrastructure. Oh, wait...
  • by cusco ( 717999 )

    They'll learn about my bizarre taste in music, see my shopping list, and know what time I get up in the morning! Oh, I just could not live with that!

    • Erm ... you thinking it's not a big deal doesn't mean that others are wrong for thinking that it is in their opinion of course. Not everyone thinks everything should be everyone's business, what a surprise! /s (on the "what a surprise" part)
  • Seriously, why allow these "things" into your house.

    I understand if you're an Alzheimer support team or so stupid you don't care, but Really?

     

    • It is quite useful as a light switch for a lazy person like me.

      • by cusco ( 717999 ) <brian@bixby.gmail@com> on Tuesday August 18, 2020 @09:43AM (#60414521)

        The newer ones have a pretty good speaker (or can interface with really good speakers). 99% of our usage consists of playing music, turning lights and the fishpond pump on and off, and setting alarms. I'm really not clear on what "sensitive information" Amazon would be storing.

        • by MrL0G1C ( 867445 )

          Well if you're using Alexa to set alarms then burglars might figure out when to rob you, and if you can set an alarm with an insecure device then they might also be able to turn your alarm off through hacking.

          • by cusco ( 717999 )

            You apparently haven't met any thieves, they're thieves because they're lazy and stupid. Any reasonably ambitious and intelligent person will make far more in a year honestly than almost any burglar, and anyone who can hack Amazon isn't going to be boosting your television they'll go for something actually worthwhile. A regular thief will just ring your doorbell pretending to sell magazines or toss a rock through your window and see if anyone responds.

            And your home alarm system is useless unless you're pa

            • Comment removed based on user account deletion
              • by cusco ( 717999 )

                Physical security. I do this stuff all day every day. I've known half a dozen 911 dispatchers and have worked with 5 police departments.

                If your alarm doesn't make enough noise to piss off the neighbors enough for them to call the police then no one is going to be dispatched. This is real life, not TV. If you're actually worried about a B&E then cough up the extra to have the alarm company send a patrol themselves.

            • No, someone builds a tool with automation to hack your Alexa quickly and easily. The dumbass criminals buy this tool and actually use it. You still have a problem if you have internet connected locks and/or streaming video from in/around your home.

  • Self-respect? (Score:4, Insightful)

    by DogDude ( 805747 ) on Tuesday August 18, 2020 @12:09AM (#60413495)
    Even if you don't have anything you care about other people hearing... don't people have any sort of self-respect these days? They're completely fine with having random strangers record their lives? How does that even happen? If somebody asked if they could record me and my family all the time, I'd tell them to fuck right off.
    • They're completely fine with having random strangers record their lives?

      Given how thin apartment walls are, pretty much all their neighbours can hear everything that goes on in another person's life, anyway.

    • They're completely fine with having random strangers record their lives?

      What makes you think they actually have lives?

      On another note - is this not what Alexa is for?

    • by cusco ( 717999 )

      A couple of points, first off Amazon isn't "recording their lives", it records the sentence after the wake up word, sends that to AWS for analysis, and then carries out the response. If I tell it to play the 'Ultimate Classical' playlist it's not going to record anything else for the next couple of hours unless I tell it to skip a song. That doesn't seem at all intrusive to me.

      Second, you're being recorded every time you step out of your house. The police in England alone have access to over two million c

      • by DogDude ( 805747 )
        A couple of points, first off Amazon isn't "recording their lives", it records the sentence after the wake up word, sends that to AWS for analysis, and then carries out the response.

        If you believe that, I have a bridge to sell you.

        Go into any store and you're on the Panopticon. Do you consent to any of that?

        No, but I'm not being recorded in my bedroom. Huge difference. I don't expect to have privacy on a public street. I do in my home. That's why I have a home.
        • Re:Self-respect? (Score:5, Interesting)

          by cusco ( 717999 ) <brian@bixby.gmail@com> on Tuesday August 18, 2020 @10:54AM (#60414751)

          Which bridge? Does it have a nice view of the river?

          I work at Amazon (physical security, nothing to do with programming), the company has no interest in your conversations with the cat. You're not that interesting, and it's makes no financial sense to spend the time, bandwidth, and storage to record anything not associated with usage of their product.

          Do you know how to use WireShark? Visit someone who has an Echo device, check the MAC address on the Echo, and watch the traffic. I don't expect you to go out and buy one afterwards, but at least you won't be spouting nonsense.

  • by tsa ( 15680 ) on Tuesday August 18, 2020 @12:13AM (#60413503) Homepage

    Hacker [häxør]
    Someone who pays Amazon for information gathered by Alexa.

  • My god, what have I done?

  • Not sure which one is worse.

    • There's one thing I'd do if I owned one of those awful devices: I'd come close to it, pretend I'm talking with another person on the phone, and say "You know what? I'm really glad we killed Jeff yesterday. That went really well, nobody saw us and we finally got rid of the bastard." without actually addressing the device.

      If Amazon is listening in, they have a problem: they're legally obliged to report me to the police under federal Law 18 U.S.C. section 4. But if they do, they officially reveal that they spy

      • Umm, how is that a problem? They *already* officially reveal they spy on people - in fact it's in the terms of service.

      • by cusco ( 717999 )

        I work with people who program these things, and they're not spying on you or recording your conversations. Your life really isn't that interesting.

        Want to actually tell if you're being recorded? Set up WireShark and sniff the traffic to/from your router. It's easy to identify the Echo, the MAC address is printed right on it. You'll see an occasional ping to AWS to verify that the connection is still good, and nothing else until you say the wake up word. Then there will be a short flurry of traffic as

  • by mridoni ( 228377 ) on Tuesday August 18, 2020 @03:38AM (#60413781)

    From me they're probably going to learn new and interesting ways of swearing, given the number of attempts it takes to make the damn machine play the music you have chosen instead of the one it supposedly understood through voice recognition.

    • I happen to enjoy the complete randomness Alexa has with music (primary use case for us, then alarms, then weather).

      In many cases I have to use my laptop to find an exact song name, try and get it to play "love is what I got - reprise by Sublime" (the acoustic version, last song on album). It will work, but after a few comical attempts.

    • by cusco ( 717999 )

      You can look in the history in your Alexa app and see what it understood, then mark it correct or not. This can help a lot when you have a specific command that it has trouble understanding. You can also say, "Alexa, learn my voice." It will run you though a short script that will improve its analysis of future commands.

      When I told my wife we could change the wake up word to 'Amazon' or 'Computer' she asked, "Can I tell it 'Hey, bitch'?" No, sorry love, that's not supported.

  • No, it couldn't have. I don't use Alexa.

  • Obviously you have to tell Alexa each night:

    "Alexa, forget everything I ever said!"

  • but this is exactly the kind of scenario that has led to me not allowing one of these devices in my house.

    NOPE.

    LK

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...