EXECUTIVE SUMMARY:

Conversation is a natural means of communication for humans, pointing towards the popularity of smart-home devices, like Amazon’s Alexa. In 2019, more than 200 million Alexa smart-home devices made their way into consumers’ living spaces. Yet, a security flaw in the devices could have exposed users’ personal information to hackers. In June, cyber security researchers demonstrated that malicious Amazon links could jeopardize people’s personal data.

How would hackers have orchestrated this smart device attack?

After a user clicked on a malicious link, a hacker could obtain a list of all installed Alexa “skills,” or apps. In the process, a hacker could also steal a token that would permit the removal or addition of skills. Malicious “skills,” with the capacity to run malicious apps, could have easily been integrated into the smart-home system.

What now?

Since the discovery of the issue, Amazon has successfully fixed the bugs. It’s uncertain as to whether hackers could have known about the specific subdomains required to pull off the attack. “Although if the security researchers found it, I’m sure less scrupulous people could have done the same,” said cyber security expert Prof Alan Woodward.

Expert Oded Vanunu says that smart-home device users should exercise caution when it comes to the number of skills that they choose to install on smart devices. “Smart speakers and virtual assistants are so commonplace. It is easy to overlook just how much personal data they hold and their role in controlling other smart devices in our homes,” he noted. Do you really need your smart device to make purchases for you, which means giving it access to your credit card information?

For more information on smart devices for the home and cyber security, visit The Hill.