Now patched vulnerabilities in servers used by Amazon.com Inc.’s Alexa smart home devices could have been exploited to obtain the personal information of users, including voice recordings.

Detailed today by security researchers at Check Point Software Technologies Ltd., the vulnerabilities relate to several subdomains relating to Alexa web services. The domains were found to be vulnerable to Cross-Site Scripting and Cross Original Resource Sharing.

A successful hack exploiting the vulnerabilities would involve several steps. First, it would require a user to be tricked to click on a malicious link that would direct them to track.amazon.com where the attacker could then inject code. Once code was injected, the attacker could then send a request with the user’s cookers to another Amazon page to obtain a list of all installed skills on the Alexa account along with a Cross-Site Request Forgery token. Using that token, a would-be hacker could then swap out a skill from the user’s list and replace it with a malicious one that would be triggered once the user attempted to use the skill.

With access granted, a hacker could obtain the user’s voice history along with their username, home address and phone number.

The security researchers reached out to Amazon. which fixed the vulnerabilities prior to Check Point publishing the details.

Amazon said in a statement that “the security of our devices is a top priority and we appreciate the work of independent researchers like Check Point who bring potential issues to us. We fixed this issue soon after it was brought to our attention and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”

Deral Heiland, IoT research lead at security operations firm Rapid7 Inc. told SiliconANGLE that the attack required potential victims to follow a malicious link to extract a security token allowing access. That at least reduces the risk by not being a simple compromise but instead requiring some action from the user.

Still, he noted, “with cloud Web/API services potentially being the entry point to every IoT device in existence I think we often overlook the potential risk and impact to vulnerabilities in these exposed cloud Web API services and have a tendency to hyper-focus on vulnerabilities found in the physical hardware. Attacks against cloud Web/API services are often simpler to pull off than embedded device attacks and it is most likely that a malicious actor will focus on these services.”

Javvad Malik, security awareness advocate at security awareness training company KnowBe4 Inc., noted that the attack relies on social engineering the victims to click on a phishing link, which security awareness and training can help prevent.

“From a technological perspective, as the connected ecosystem of devices grows, it becomes increasingly important for manufacturers to ensure all code and access is assessed not just for technical security flaws but also where processes can be bypassed by criminals to reveal sensitive information, corrupt data or make them unavailable,” Malik added.

Photo: BestAI Assistant/Flickr