Amazon Alexa : why you do not risk anything

The web has been on fire in recent days following the discovery of a flaw concerning Amazon Alexa and presented as critical by some of our colleagues. Although aware of this information, we did not wish to relay it directly, but preferred to investigate the subject in order to really inform you of the situation without just translating American articles. And, you will see, a keen eye allows any regular voice assistant user toAmazon to detect the rather improbable nature of this exploit brought to light by Check Point Research. Because, yes, this fault story is more a fantasy than reality ...

1. Flaw Amazon Alexa : the Phishing as a prerequisite

Phishing: beware of fake emails AmazonThe exploit begins with phishing, or Phishing, a technique used to retrieve your personal data. As is often the case, the scam is based here on the forgery of an email. The pirate pretends to be Amazon and send you a fake email inviting you to click on a link pointing either to a counterfeit site ofAmazon, or on a domain ofAmazon where it would have code injection capabilities ...

Our opinion : the biggest flaw is, as is often the case, the user who clicked on the link of a fake email! If you are careful, this shouldn't happen to you.

Our advice: Always check the sender's email address and only click links in the email if you are sure they are coming from. Once on the site, verify that the site uses the secure protocol https (symbolized by the famous little padlock in your web browser). SSL is not flawless, but it is a first barrier.

2. Subdomains ofAmazon vulnerable: a problem already solved

The hacker used subdomains from the e-commerce giant, in this case et that were not sufficiently secure.

Contacted by us, a spokesperson forAmazon recognizes it and tells us “The safety of our devices is a top priority. We value the work of independent researchers such as Check Point who share potential issues with us. We addressed this issue soon after it was brought to our attention and continue to strengthen our systems. We are not aware of any cases of use of this vulnerability against our customers or exposure of information from our customers ”.

Our opinion : a victim routed to these subdomains via phishing, for example, could indeed have been the subject of a code injection and the theft of their cookies linked to Amazon. Fortunately, Amazon has since strengthened the security of its sites and the second subdomain no longer exists.

Our advice: it's the same as the previous one, don't click any link and double check the legitimacy of the sender first! If you make a purchase on Amazon, make sure you are on a main domain of the type Fr or Com.

3. The hacker connects to the account Alexa : necessary identifiers

The hacker accesses the account Amazon Alexa of the victim. Ok, but he needs credentials. How did he get them?

Our opinion : although the Check Point Research video shows an application Alexa target of an attack, it is still necessary to have the user's identifiers ... The researchers do not specify how they obtained them and do not show this phase. Note that the e-commerce sites ofAmazon obviously do not allow this information to pass unencrypted.

Our advice: Amazon offering dual authentication, we recommend that you activate it. You will therefore notice thatAlexa systematically asks for an OTP code (one time password, a code that changes each time) to access your account. This code being sent by SMS or generated by an application such as Google Authenticator on your smartphone, the hacker will have a hard time going any further.

4. Activation of an unpublished skill: a low probability

La exploit video shows the hacker activating a skill from the application Alexa of the victim. New problem: the activated skill was never published by Amazon on the skills stores ofAlexa. In other words, in no case has it been certified by Amazon and this piracy is based on the possibility of publication. Unlikely therefore, it starts to make a lot of assumptions ...

Our opinion : the "skill" has never been published, the demo video is misleading. To succeed in this feat, the hacker must first have their skill validated and, having experienced it several times, we can tell you that it is far from easy to pass the certification process ofAmazon with success. What the researchers at Check Point Research have shown in this section is therefore unlikely to be successful in reality.

Our advice: fear not, this is unlikely to happen in reality. Indeed, Amazon performs security checks as part of the certification of Alexa Skills and continuously monitors skills live to detect potentially malicious behavior. All identified malicious skills are blocked during certification or quickly deactivated.

5. No bank details in the voice history ofAlexa

The sensational pleases and the researchers of Check Point Research seem to be fully aware of this by implying that it would be possible to retrieve the history of bank data via the voice history ofAlexa.

Our opinion : there is no banking information in the voice history ofAlexa. If ever given by the user, this information is automatically deleted. Moreover, the researchers recognize it and specify: « Amazon does not save your bank login details ». To recover them, it would be necessary to obtain the history of the skill of your bank and you can imagine that banking applications are particularly secure.

The skill given as an example is that of the BECU, the Boeing Employees' Credit Union, Boeing's employee bank and Boeing never asks for full bank details, only the last four digits (see screenshot below).

In short, the hacker could not therefore recover anything very important and you don't fear anything, no bank offers them on the skills store Alexa France.

Our advice : do not activate a banking skill if you fear that your data will be - partially at best - compromised. In general, avoid giving your banking information out loud.


In conclusion, you will have understood it, Amazon has recognized security flaws in some of its subdomains. Informed in advance by Check Point Research, its teams corrected them well before the publication of the exploit and no user ofAlexa was not touched. It must be said that the process was both long and relatively complex. Indeed, the researchers assume that the user would have clicked on the link, then that they would have managed to inject malicious code on an official site of the e-commerce giant, and finally that the customer ofAmazon would have placed an order outside the sales sites to retrieve a token. Unlikely. Note, and this is ultimately the most important, that bank data can not be recovered under any circumstances since they are redacted from responses Alexa. In short, you risk nothing!
Fascinated by Alexa since the day I received it in beta test, I gradually became passionate about the subject, before deciding to go further by creating a site with Jean-Christophe. An activity that allows me to quench my thirst for new technologies and share my discoveries about the nicest of communities: Les Alexiens.