Amazon's Alexa hacked to disclose Personally Indentifiable Information (PII) of Users


Image by Checkpoint Research

Amazon's voice assistant Alexa could be exploited to hand over user data due to security flaws in the service's subdomains. The smart voice assistant, which is found in devices such as the Echo Dot and Amazon Echo - with over two hundred million shipments worldwide - was vulnerable to attackers seeking user Personally Identifiable Information (PII) and voice recordings.

Attack Flow

Check Point Research said that the security issues were caused by Amazon Alexa subdomains susceptible to two flaws, they're Cross-Origin Resource Sharing (CORS) Misconfiguration and Cross-Site Scripting (XSS) attacks. When Check Point first began examining the Alexa mobile application, the company noticed the existence of an SSL mechanism that prevents traffic inspection. However, the script used could be bypassed using the Frida SSL universal unpinning script. 

This led to the discovery of the application's misconfiguration of CORS policy, which allowed Ajax requests to be sent from Amazon subdomains. If a subdomain was found as vulnerable to code injection, a cross-site scripting attack could be launched, and this was performed via and 

Amazon's Alexa hacked to disclose Personally Indentifiable Information (PII) of Users
Source: Checkpoint Research (CORS)

According to Check Point, it would only take a victim to click on a malicious link to exploit the flaws. A victim routed to a domain via phishing, for example, could be subject to code injection and the theft of their Amazon-related cookies. An threat actor would then use these cookies to send an Ajax request to the Amazon skill store, of which the request would send back a list of all skills installed in the victim's Amazon Alexa account. 

By launching an XSS attack, researchers were also able to acquire CSRF tokens and, therefore, perform actions while masquerading as the victim. This could include removing or installing Alexa skills, and by using the CSRF token to remove a skill and then installing a new one with the same evocation phrase, this could trigger an attacker skill. 

Amazon's Alexa hacked to disclose Personally Indentifiable Information (PII) of Users
Source: Checkpoint Research (Acquire CSRF Token via XSS)

Should a victim trigger this new skill unwittingly, it may be possible for attackers to access voice history records, as well as abuse skill interactions to harvest personal information. During testing, Check Point found some critical data like phone numbers, home addresses, usernames, and banking data history could theoretically be stolen.

Amazon's Alexa hacked to disclose Personally Indentifiable Information (PII) of Users
Source: Checkpoint Research (Personal Information of Victim)

The team says that Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim's interaction with the bank skill and get their history of data. We can also get details like usernames and phone numbers, depending on the skills installed on the user's Alexa account. However, Alexa does redact banking information speficially in histories and logs.

Proof of Concept

Skill abuse is an interesting form of attack and a potential way for cyberattackers to enter our homes - although the time window before malicious skills are spotted and removed may be short. It's important to note that Amazon conducts security reviews as part of skill certification, and continually monitors live skills for potentially malicious behavior, the security researchers say. 

Any offending skills that are identified by Amazon are blocked during certification or quickly deactivated. Check Point researchers disclosed their findings privately to Amazon in June 2020, and the security issues have now been patched. 

Source: Checkpoint Research (Video POC)

Oded Vanunu (Head of Products Vulnerabilities Research at Check Point) commented that we conducted this research to highlight how securing these devices is critical to maintaining users' privacy. Thankfully, Amazon responded quickly to our disclosure to close off these bugs on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon's example and check their products for flaws that could compromise users' privacy.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post