Original article was published by Tapaan Chauhan on Artificial Intelligence on Medium
Check Point Reveals That Privacy Policies Are at Risk, For Smart Speaker Users
A recent loophole surfaced in the news headlines, stating that the researchers have found out that hackers/attackers might have access to personal conversations mistakenly recorded by Alexa.
Researchers at Check Point found out that Alexa was capable of giving away personal information, Amazon account data, and also conversation history. They revealed in a recent blog post how an attacker induces a hack, starting with a mysterious link that points to a page with code-injection capabilities.
Apparently, Amazon quietly covered this issue up and fixed this problem. But we can’t deny that fixing this issue does not mean that there won’t be an onset of others. We can’t also shy away from the fact that privacy concerns regarding a smart speaker have always been a major issue.
It’s one of the prime reasons why people avoid buying smart speakers till date.
Privacy Issues Are Now a Major Concern
It’s no doubt that our privacy is always at constant risk when it comes to voice assistants. A recent study even revealed that smart speakers are always listening, wake words, or no wake words.
With the onset of advanced, state-of-the-art technology, there has been a greater advent of technical bugs and issues too. A recent study even revealed that smart speakers are quite capable of unveiling personal conversations mistakenly.
A study by Clemson University School of Researches also claimed that the privacy policies of Amazon Alexa and Google Assistant are “problematic”. They even fail to fulfill basic privacy requirements.
The privacy issues are so much at stake that even acclaimed law firms like Mishcon de Riya advise their staff to mute their smart speakers while discussing client matters at home.
Check Point Reveals How They Identified the Issue
The Check Point researchers claim that they identified the issues while conducting tests with the Amazon Alexa smartphone app.
While using a script to bypass a mechanism that was potentially preventing them from inspecting network traffic, they found that there were several requests made by the app that allows sending of requests from any Amazon subdomain.
To their horror, they even had misconfigured privacy policies! They speculated that there were high chances that attackers with code injection capabilities on one subdomain might have performed a cross-domain attack on another Amazon subdomain.
In simple words, what happened is that the researchers successfully fooled the software into believing that they weren’t inspecting the network traffic. This allowed them to replace the real app owner with a fake linked malicious code.
Once the real user unknowingly clicked the link, the researchers could take over the account! The hacker can now add or remove Alexa skills, view the history of voice commands, and take out personal information for potential blackmails or frauds.
The Check Point researchers tagged the Internet of Things and smart devices to immediately look into this issue.
Here’s a list of things that the hackers can do:
- They can retrieve the list of voice apps of the user’s account, and replace one with their own app published on the Amazon Alexa Store.
- Quietly remove an app from the user’s account.
- Retrieve their voice history, including each voice command and their responses. This could reveal personal information like usernames, passwords, IDs, etc.
- They can also lookup personal information of the users, such as their home addresses stored in their profiles, etc.
Check Point and Amazon’s Respective Statements
Check Point explained in a statement, “As virtual assistants today serve as entry points to people’s home appliances and device controllers, securing these points has become critical, with maintaining the user’s privacy being top priority.
This was our “entry point” and central motivation while conducting this research. Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.”
They also wrote in their blog post, “Virtual assistants are used in smart homes to control everyday IoT devices such as lights, A/C, vacuum cleaners, electricity, and entertainment.
They grew in popularity in the past decade to play a role in our daily lives, and it seems as technology evolves, they will become more pervasive. As virtual assistants today serve as entry points to people’s home appliances and device controllers, securing these points has become critical, with maintaining the user’s privacy being top priority.”
Amazon’s spokesperson explained to VentureBeat, “The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us.
We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
Amazon’s Quiet Cover-Up
Check Point revealed that they detected this problem way back in June, but held back the report to give time to Amazon to come up with a solution. Amazon immediately looked into the problem when informed, and closed the loophole.
Just like its rivals, Amazon’s security policy for privacy has been strengthening and growing stricter. It also tightened the minimum security requirements for Alexa Voice Service.
The combination of hardware and software along with security updates are solely aimed at restricting the access of unauthorized users into the user’s account.
Amazon Alexa and Google Assistant — Both Have Potential Risks
Amazon Alexa and Google Assistant, both have been pretty responsive to such reports. When Security Research Labs informed Amazon and Google about a few loopholes in Google Actions and Alexa skills, Amazon quickly fixed the problem and Google made quite a few Actions unavailable for months at end.
Amazon is already in the midst of a lawsuit where it’s accused of hackers posing as customer care officials and making them install a fix-app and then retrieving a chunk load of cash through fraudulent activities.
Voice Technology Has a Long Way to Go
Voice technology has surely come far, with ceaseless developments and transformations in the industry overall. But we still think, it’s only in its blueprint stage. It still has a long way to go, come what may.