Amazon Alexa Bugs Allowed Hackers to Install Malicious Skills Remotely

Smart speakers are popular in homes and some offices, but like most IoT devices they are lacking in security.

On August 13, 2020, Check Point cybersecurity researchers—Dikla Barda, Roman Zaikin and Yaara Shriki— disclosed severe security vulnerabilities in Amazon’s Alexa virtual assistant that could render it vulnerable to a number of malicious attacks.

These vulnerabilities would have allowed an attacker to:

  • Silently install skills (apps) on a user’s Alexa account
  • Get a list of all installed skills on the user’s Alexa account
  • Silently remove an installed skill
  • Get the victim’s voice history with their Alexa
  • Get the victim’s personal information

Amazon has patched the vulnerability since it was discovered, but be mindful of the weaknesses of these devices. Until security is a a priority in production and not an afterthought, we recommend keeping these out of your homes.