Both Check Point and Amazon note that all skills in Amazon’s store are screened and monitored for potentially harmful behavior, so it’s not a foregone conclusion that an attacker could have planted a malicious skill there in the first place. Check Point also suggests that a hacker might be able to access banking data history through the attack, but Amazon disputes this, saying that information is redacted in Alexa’s responses.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” an Amazon spokesperson told WIRED in a statement. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”
Check Point’s Vanunu says that the attack he and his colleagues discovered was nuanced and that it’s not surprising Amazon didn’t catch it on its own given the scale of the company’s platforms. But the findings offer a valuable reminder for users to think about the data they store in their various Web accounts and to minimize it as much as possible.
Not a case of “OK, come on in!”
“This definitely wasn’t a case of an open door and ‘OK, come on in!'” Vanunu says. “This was a tricky attack, but we’re glad Amazon took it seriously, because the implications could have been bad with 200 million Alexa devices out there.”
Though you can’t control whether Amazon has a bug in one of its far-flung Web services, you can minimize data on your Alexa account. After blowback over hazy practices related to using human transcribers for some Alexa users’ audio snippets, Amazon made it easier to delete your audio history. It’s important to do this regularly, because otherwise Amazon will store those recordings indefinitely.
To view and delete your Alexa history, open the Alexa app on your phone and go to Settings > History. In this view, you can only delete entries one by one. To delete en masse, go to Alexa Privacy Settings on Amazon’s Website and then choose Review Voice History. You can also delete verbally by saying, “Alexa, delete what I just said” or “Alexa, delete everything I said today.”
This story first appeared on wired.com.