Intelligent virtual assistant (IVA) or intelligent personal assistant (IPA) is a type of software that can perform tasks or services for an individual based on commands or questions. Amazon Alexa, commonly known as “Alexa” is an AI-based virtual assistant developed by Amazon, capable of interacting with voice, playing music, setting alarms and other tasks, including controlling smart devices as part of a home automation system.
One of the advantages of Alexa is that it can ‘evolve’ so to speak, learning new tricks in the same way that a mobile phone increases its capabilities with each new app that is installed. In this case, Alexa has the ‘skills’ or abilities: additional functionalities developed by Third Parties that can be considered as applications.
Alexa vulnerabilities or risks
But of course not everything can go that well, a manager of the multinational Amazon has recognized questions from a US senator about the security of the system that the Alexa device keeps forever the conversations of its users except when a client decides to delete this history , and even so, sometimes it does not disappear completely. The top manager of the American giant has also revealed that thousands of Amazon employees from around the world review random conversations that we have with Alexa on a daily basis, reaching up to 1,000 conversations per shift.
As we mentioned well, this tool can be good, but one wonders that if it is okay for other people to know what you are talking about, you think, if you have a problem or any other personal data, they are thus exposed to who knows who because we do not know where Does that information go or how many people does the information reach?
If it was bad, according to Checkpoint reports, they mentioned that, after their investigation, they said that certain Amazon / Alexa subdomains were vulnerable to misconfiguration of cross-origin resources (CORS) and cross-site scripts. Using the XSS we were able to obtain the CSRF symbol and perform actions on behalf of the victim. As we can read in the Checkpoint report, “our findings show that certain Amazon / Alexa subdomains were vulnerable to cross-origin resource misconfiguration (CORS ) and cross-site scripts. Using the XSS we were able to obtain the CSRF symbol and perform actions on behalf of the victim.
This means that attackers can:
▸Get a list of all skills installed in the user’s Alexa account
▸Get the victim’s voice history with your Alexa
▸Silently install skills (apps) on a user’s Alexa account
▸Silently remove an installed skill
