If you don’t already have two-factor authentication turned on for your Amazon account, now is as good a time as any. At a recent summit held by the SANS Institute, a private information security and cybersecurity company, it was noted that because the Alexa app does not require 2FA, accounts can be accessed by anyone who has access to an individual’s Amazon credentials.
Brian Moran of digital forensics company BriMor Labs discovered the issue while testing the app on multiple devices. As he found, the first sign-in by a user on a mobile device requires a PIN delivered by SMS to verify the user, but this is the only time 2FA is required.
This means, as detailed in the SANS presentation, if you have access to Amazon credentials, you could sign into an account on any device and:
- Make Alexa calls as another person
- Receive Alexa calls sent to another person
- Send Alexa messages as another person
- Receive Alexa messages sent to another person
- Have another person’s Alexa contacts synced to your device
All of this could happen without the original user ever knowing about the activity. Of course, if another user has your Amazon credentials, there are worse things that can happen aside from calls happening through your account. But considering the new Echo Show allows you to “drop in” and watch a trusted contact from inside their house, it’s yet another reason to enable 2FA on your Echo devices.
According to SANS, the Amazon security team was happy the issues were identified and are working on fixes. The only real vulnerability here is that the SMS pin is only requested once (which it seems Amazon will fix), and there’s no way to sign out other devices that already have access once you do enable 2FA for Amazon.
So, PSA: if you already have 2FA turned on for Amazon, you should be okay. If you don’t, you should probably go ahead and enable it, especially if you’re considering getting the Echo Show.