An intelligent virtual assistant (IVA) or intelligent personal assistant (IPA) is a type of software that can perform tasks or services for an individual based on commands or questions. Amazon Alexa, commonly known as “Alexa” is an AI-based virtual assistant developed by Amazon, capable of interacting with voice, playing music, setting alarms, and other tasks, including controlling smart devices as part of a home automation system. home.
One of the advantages of Alexa is that it can ‘evolve’ so to speak, learning new tricks in the same way that a mobile phone increases its capabilities with each new app that is installed. In this case, Alexa has the ‘skills’ or abilities: additional functionalities developed by Third Parties that can be considered as applications – such as weather programs and audio features.
The success of virtual assistants
A decade ago, having a virtual assistant powered by AI learning was something that still seemed futuristic. Today it is common to even have it on your mobile phone. And devices such as Amazon Echo, smart speakers, have become very popular, because they allow a home automation system at low cost. To get an idea, by the end of 2019 more than 200 million devices powered by Alexa had been sold, a figure that in 2020 has grown, even despite the pandemic we are experiencing.
Comfort is maximum, because they are managed with the voice. But there is a problem: As virtual assistants today serve as entry points to people’s home appliances and device controllers, securing these points has become critical, with maintaining user privacy the top priority. This has been the focus of an investigation carried out by Checkpoint’s cybersecurity experts. And the result has been not very encouraging:
Serious vulnerabilities in Alexa
As we can read in the Checkpoint report, “our findings show that certain Amazon / Alexa subdomains were vulnerable to misconfiguration of cross-origin resources (CORS) and cross-site scripting. Using XSS we were able to obtain the CSRF symbol and perform actions on behalf of the victim ”.
In short, these vulnerabilities allow those who know how to exploit them to install and remove skills – from legitimate news applications to malicious skills developed by hackers to steal your information – in your Alexa account and obtain your personal information through those skills. An attacker can:
- Silently install skills (apps) on a user’s Alexa account
- Get a list of all skills installed in the user’s Alexa account
- Silently remove an installed skill
- Get the victim’s voice history with your Alexa
- Obtain the victim’s personal information
In effect, these exploits could have allowed an attacker to remove / install skills on the targeted victim’s Alexa account, access their voice history, and acquire personal information through skill interaction when the user invokes the installed skill. A successful exploit would have required just one click on an Amazon link that has been specially crafted by the attacker.