Researchers at cybersecurity provider Check Point uncovered a flaw in Amazon’s Alexa virtual assistant that left owner’s personal information vulnerable before it was patched in June.
The researchers detailed the vulnerability in a report released Thursday, saying potential hackers could have hijacked the voice assistant devices using malicious Amazon links.
Once those links were clicked, hackers would be able to install or remove “Skills” – essentially apps – from Alexa devices.
They would also be able to access the user’s voice history with their device as well as personal information as sensitive as banking data and home addresses.
Check Point presented the flaw to Amazon this past June and the company subsequently fixed the security issues. The online retail giant did not immediately return a request for comment from The Hill.
Experts have long warned about security vulnerabilities present in the internet-enabled devices that are now commonplace in many American homes.
More than 200 million Alexa-enabled devices were sold by the end of 2019, and a vulnerability in those devices could pose serious privacy risks.
“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” Oded Vanunu, head of products vulnerabilities research at Check Point, said in a statement.
“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”
Amazon, however, has insisted the devices are safe.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” an Amazon spokesperson said in a statement to The Hill. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”