Categories: Security

Vulnerability Found in Alexa App, What Should You Do?

Amazon’s Alexa is an incredibly helpful, albeit slightly limited, personal assistant. It can play music, read audiobooks, host a trivia night, set a timer, order pizza, and perform a number of other useful tasks. One more thing Alexa can do? Alexa can allow anyone with your Amazon credentials access to your account’s calling and messaging capabilities. To ensure that this vulnerability, and other similar ones, aren’t allowing hackers to introduce malware onto your Android, be sure to run a Security Scan. This scan will quickly verify that your phone is free of any security breaches:

This vulnerability was revealed at a recent SANS Institute summit. According to Brian Moran of BriMor Labs, Amazon’s lack of two-factor authentication, or 2FA, allows for this security flaw. While the initial mobile sign-in with Alexa requires 2FA, including a PIN sent by SMS, this is the only instance in which this authentication method was required.

If your Amazon Echo account does not have two-factor authentication enabled, anyone with access to your Amazon credentials will be able to make Alexa calls and messages as another account, receive Alexa calls and messages sent to another account, and sync your Alexa account’s contacts with their device. For those who own the brand new Amazon Echo Show, which allows users to virtually “drop in” on trusted contacts’ houses, the dangers this breach poses are even more significant.

Safety Tips

To ensure that this security hole doesn’t result in the loss of sensitive data, all users need to do is turn on two-factor authentication. This can be done by logging in to your Amazon homepage and clicking the “Login and Security” button. From there, click the edit button on “Advanced Security Settings” and then “Get Started.” From there, Amazon will allow you to register your phone number or a preferred authenticator app which can be synced through a QR code.

In fact, relying on 2FA is a smart move for all accounts. This is an easy way to add an extra measure of security of all login sequences. Two-factor authentication can rely on three different types of authentication, including something a user knows (such as a PIN or a password), something a user owns (such as a smartphone), and something to identify a user (such as a fingerprint or retina scan). As the password is often the weakest link in account security, creating a backup mode of authentication is a smart idea in any case.

PSafe Newsroom

The dfndr blog is an informative channel that presents exclusive content on security and privacy in the mobile and business world, with tips to keep users protected. Populated by a select group of expert reporters, the channel has a partnership with dfndr lab's security team. Together they bring you, first-notice news about attacks, scams, internet vulnerabilities, malware and everything affecting cybersecurity.