Is Amazon Alexa Safe? Cybersecurity Researchers Uncover Serious Privacy Issues

A cybersecurity firm has uncovered serious privacy concerns in Amazon's popular "Alexa" device, leading to questions about its safety.

Check Point, the California- and Israel-based technology company, published a report Thursday detailing "vulnerabilities found on Amazon's Alexa," including a hacker's access to the user's voice history and personal information, as well as the ability to silently install or remove skills on the user's account.

"In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim's Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill," according to the report. "Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker."

Amazon's Alexa line is powered by artificial intelligence (AI) technology, and the conglomerate had sold more than 200 million Alexa devices by the end of 2019, CNET reported. The Alexa essentially functions as a virtual assistant to its user, able to take voice commands, play music, set alarms, and offer weather or news reports.

Developers are continually working on new programs to make the devices even more user-friendly. Just a few weeks ago, for instance, Amazon announced Alexa Conversations was moving into its beta phase, and would now be able to provide an AI-driven element to voice interactions, making conversations flow more naturally.

Amazon Alexa
Amazon highlights how its Alexa digital assitant can be integrated into various smart home devices at its exhibit at the Consumer Electronics Show in Las Vegas, Nevada, January 11, 2019. Cybersecurity firm Check Point uncovered serious privacy concerns in the Alexa device in a report published August 13. ROBERT LEVER/AFP/Getty

In its report, Check Point described how an attacker could hack into a user's Amazon account to compromise their Alexa device, including a breakdown of the code needed to carry out such an action. In one example of how an attack could occur, the user would click on a malicious link provided by the hacker, allowing them to inject their code into the user's account.

Check Point also detailed how an attacker could get the device's entire voice history, which could expose banking information, home addresses or phone numbers, as all interactions with the device are recorded.

Virtual assistants provide relatively easy targets for attackers wishing to steal sensitive information or disrupt a user's smart home device, according to the report. Check Point's research found a weak spot in Amazon's security technology, the report stated.

"What we do know is that Alexa had a significant period of time where it was vulnerable to hackers," Check Point spokesman Ekram Ahmed told Fox News. "Up until Amazon patched, it's possible that personal and sensitive information was extracted by hackers via Alexa. Check Point does not know the answer to whether that occurred yet or not, or to the degree to which that happened."

The technology company reported its findings to Amazon in June 2020, and Amazon "subsequently fixed the issue," according to Check Point.

In an emailed statement to Newsweek, an Amazon spokesperson wrote that security of its devices is a top priority for the company.

"We appreciate the work of independent researchers like Check Point who bring potential issues to us. We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems," according to the statement. "We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."

To ensure Alexa devices are secure, Check Point recommends that users avoid unfamiliar apps, think twice before sharing information with a smart speaker and conduct research on any downloaded apps, a company spokesperson wrote in an email to Newsweek.

Update (08/13/20, 11:52 a.m.): This article has been updated to include responses from Amazon and Check Point.