According to the researchers, these could include automatically installing Alexa skills without the knowledge of the user, acquiring a list of all installed skills, silently removing installed skills, acquiring the victim's voice history with Alexa, and to even gain personal information. This skill manipulation can allow for a modified version of an existing skill to be installed and then used by the user, one that could allow actions to be performed by the attacker, or for further acquisition of data from the user. It could even be possible for an attacker to install a skill to eavesdrop into conversations near an Echo device.
It is claimed a successful exploitation of the vulnerabilities would be possible through a single Amazon link click by the victim.
Check Point responsibly disclosed the vulnerabilities to Amazon in June 2020, and the issues have been fixed.
"Internet of Things devices are inherently vulnerable and still lack adequate security, which makes them attractive targets to threat actors," Check Point writes. "Cybercriminals are continually looking for new ways to breach devices, or use them to infect other critical systems. This research presented a weak point in what is a bridge to such IoT appliances. Both the bridge and the devices serve as entry points. They must be kept secured at all times to keep hackers from infiltrating our smart homes."
Amazon has courted controversy with the security and privacy issues of its smart home platform in the past. In 2019, it was found Amazon employees were listening to audio recordings from Echo devices to improve its accuracy, while later in the same year researchers were able to add spying apps to app stores for Alexa and Google Home that enabled eavesdropping and phishing to take place. While Apple does operate its own HomeKit smart home platform, the company does work to keep each element as secure as feasibly possible. This includes extensive use of encryption, as well as a long list of requirements and restrictions each new HomeKit-compatible device must abide by to function on the platform.
Sivan Rauscher, co-founder and CEO of the Israeli-based B2B startup SAM Seamless Network, said in a telephone interview, that hackers target IoT devices because they are easy to hack: As more of our daily lives become more connected and dependent on the web, the sheer number of devices and endpoints in your home makes likely it likely that some of these attacks will succeed.