Hacking Alexa through Alexa’s Speech

An Alexa can respond to voice commands it issues. This can be exploited:

The attack works by using the device’s speaker to issue voice commands. As long as the speech contains the device wake word (usually “Alexa” or “Echo”) followed by a permissible command, the Echo will carry it out, researchers from Royal Holloway University in London and Italy’s University of Catania found. Even when devices require verbal confirmation before executing sensitive commands, it’s trivial to bypass the measure by adding the word “yes” about six seconds after issuing the command. Attackers can also exploit what the researchers call the “FVV,” or full voice vulnerability, which allows Echos to make self-issued commands without temporarily reducing the device volume.

It does require proximate access, though, at least to set the attack up:

It requires only a few seconds of proximity to a vulnerable device while it’s turned on so an attacker can utter a voice command instructing it to pair with an attacker’s Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands.

Research paper.

Tags: , , ,

Posted on March 7, 2022 at 6:20 AM13 Comments

Comments

Ted March 7, 2022 8:42 AM

I can’t think that anyone using an Amazon Echo is a privacy or security fanatic. But it’s interesting that turning off the microphone (with a button on the Echo) prevents the exploit.

However, the paper reports that “Nearly 89% of the users never turn off Echo’s microphone, or they do it rarely. The remaining 11% claimed to do it sometimes.”

JonKnowsNothing March 7, 2022 10:00 AM

@ Ted

re: turning off a Voice Activated Device

What would be the point of “turning off a voice activated device”? The whole up-sale is that you can just “talk to the IOT” and “magic happens”.

Ever tried to turn off the “voice activated system” in your car? Nearly all cars these days have an integrated BT connection for smartphones. There are 2 Voice Activation Systems in play: 1) on the phone itself 2) in the car (onstar type).

Even if you turn off the BT connection between the phone to the car, the Voice still operates on the phone (unless you attempt to disable it). The car Voice still operates independently.

There is perhaps a 3d version depending on definitions and that is the Satellite Up Link communication system (onstar type) which has its own talk-to-me mode not requiring a phone at all. Just push the red button on the console.

This might be considered part of the phone but I think of it as a 3d Rail. One way to consider if it’s integrated or not is to consider how you would run QA testing on it. Phone-Person / Phone-Car / Car-Person-Satellite.

There maybe more phones than cars, but there are a lot of cars and a lot of attack surfaces. Automated cars … well…

====

RL Funny tl;dr

I’ve been assisting a friend with a medical issue at the ER. COVID protocols are nice to see still in place in the Hospital. Unfortunately there are a lot of very sick people and not enough staff. (1)

So, hanging about waiting on test results isn’t always permitted. Luckily, I was allowed to hang out with the friend while waiting for the results, when there was an announcement over the PA system.

  “Will the owner of a White Tesla plate number 1234567XYZ please move their car.”

A staff member muttered:

  “Will the owner of a White Tesla plate number 1234567XYZ please bring me a hot meal.”

Technically I wondered why the “the owner of a White Tesla” hadn’t told the car to go “park itself”….

1) I spoke with some staff a about the COVID Omi Wave and in short: it was gruesome and many of the staff have died or quit. The situation remains unchanged, regardless of the political stances on COVID-19.

lurker March 7, 2022 11:30 AM

“… turn off the microphone with a button …”

Hardware turn off button? Asking for a friend, because she says a software button will be defeated by the attacker, real soon now…

Ted March 7, 2022 1:09 PM

@JohnKnowsNothing

What would be the point of “turning off a voice activated device”?

If we’re going beyond the risks of having an always-on microphone, I guess it depends on the threat model. From what I’m reading, the three main uses for Alexa devices are playing music, setting timers, and controlling lights.

However Alexa-enabled devices can do a lot more. And I guess this is where the problem is.

Amazon rated the ‘Alexa vs. Alexa’ (or AvA) vulnerability as Medium severity for several reasons including that the attack does not work over the internet. The threat here is more likely to come from an insider who can get access to the device.

However, who knows how a string of vulnerabilities could be exploited.

JonKnowsNothing March 7, 2022 1:18 PM

@lurker

re: “… turn off the microphone with a button …” Turn off button?

No buttons, software or hardware, are guaranteed to work. The LED maybe off but someone is still home.

afaik the only way to ensure the thing is off is to unplug it, remove batteries, wait N-Days for total battery discharge, and remove it from the premises permanently.

Code function for On/Off or LED On/Off is a software driven indicator.

SetMode()

If IOT(ON)and Mode(Normal) then LED(ON)

else

If IOT(ON)and Mode(Silent) then LED(OFF)

else

If IOT(ON)and Mode(Sneak) then LED(OFF)

pup vas March 7, 2022 1:44 PM

Very close to academic paper
The sophisticated tech predicting if an advert will work
https://www.bbc.com/news/business-60584596

=UK firm, Kantar, is another firm working on these analytics. It’s online testing system also focuses on a person’s emotional response to being shown an advert. One way it does this is !!!!by connecting to a tester’s laptop, or webcam, then using facial-mapping software to monitor their reactions.

Jane Ostler, Kantar’s executive managing director of creative and media products, says this type of more sophisticated testing is increasingly in demand.

This shift is because companies want to advertise their products across a large number of platforms – print, TV and social media. These various mediums may require a different advert for the same product.

“I think for clients, that is the real challenge – not only making it [the adverts] all, and making it all integrated and part of the same campaign, but also how to measure it and whether it is working,” she says.

Psychologist, Stuart Duff, of UK business coaching firm Pearn Kandola, says that if brands want to reach customers hope is the emotion they should focus on.

“Emotions are critical to our memory,” he explains. “We do not remember factual or bland information easily, but something that is moving or uncomfortable will be committed to memory with ease. What are the three most powerful emotions? I would suggest that fear, guilt and hope.

“Hope is associated with feelings of joy and relief, and offers a way out from fear and guilt. It is hope that will move us forward and trigger feelings of trust in the product.”=

lurker March 7, 2022 4:16 PM

@JonKnowsNothing
“No buttons, software or hardware, are guaranteed to work” … in this Brave New World.

I have seen hardware mic switches that worked by open circuiting the line the mic was connected to and put a short-circuit across the mic. Now @Clive will give us a lecture on ground impedance, residual currents &c, but this switch would stop the AvA bug. But I wouldn’t expect the Alexa designers to have the knowledge or experience to think about it, never mind the economics.

Clive Robinson March 7, 2022 6:48 PM

@ lurker,

Now @Clive will give us a lecture on …

I could, but you probably could as well… so feel free, and save my fingers the work 😉

SpaceLifeForm March 8, 2022 3:11 AM

Silly me. I thought the main purpose of an Echo was to collect VoicePrints and wireless MAC addresses.

That one could attack from outside of your house because the BlueTooth signal can get thru the walls, is pretty sneaky.

Short Southpark

hxtps://www.youtube.com/watch?v=sbCj0i8WQA0

pup vas March 9, 2022 3:09 PM

SUPER IMPORTANT RESEARCH
How war videos on social media can trigger secondary trauma
https://www.dw.com/en/how-war-videos-on-social-media-can-trigger-secondary-trauma/a-61049292

=Secondary trauma

Secondary trauma refers to distress or negative emotional effects that result from second-hand exposure. In other words: secondary trauma can occur when an individual hears about the first-hand trauma experiences of another person, or is exposed to gruesome or distressing material via images or videos.

In particular, repeated exposure to disturbing content carries the risk of negative consequences regarding mental well-being. If at all possible, this should be avoided.

Studying the psychological effects of exposure to distressing digital content on social media is a relatively new field of research. The same applies to the study of effective countermeasures.

“Always be prepared, avoid surprises, and be ready to view distressing material any time when moving online,” said Sam Dubberley, managing director of the Digital Investigations Lab at Human Rights Watch, and co-author of a report on eyewitness media and vicarious trauma.

While Dubberley’s research has focused on secondary or vicarious trauma in the journalistic and human rights context, some of his findings can also serve as advice to ordinary social media users viewing content from the war in Ukraine.

Dubberly stresses: “Be honest to yourself. If you see something distressing that affects you, acknowledge it. Don’t brush it under the carpet or pretend it doesn’t affect you if it does.”

Limiting negative impact on mental well-being

Being prepared to potentially encounter disturbing or distressing material when scrolling through a news feed is an important strategy. During a heavily-documented war, a horrific photo or video could be displayed on screen at any moment.

!!!!!!!!!!!The power of sounds should not be underestimated, and social media users are advised to turn off the audio on their news feeds.

!!!!Research has shown that the sound of, say, a person being seriously injured or harmed, “sticks” far more to the psyche than visual material.

There are many highly disturbing videos circulating online, showing people who are victims of attacks and assaults — and hearing !!!their pain and suffering can burn itself into one’s mind for a long time.

If watching videos from the war, social media users should !!!!reduce the size of the video window and !!!!disable autoplay. Turning away from the screen is always an option too.

Regular breaks away from phones and computers are advised to prevent users being exposed to a constant stream of war footage almost every waking hour.

Wars produce a huge amount of distress and trauma, not only for Ukrainians who are directly affected. While it is important to stay informed, social media users should stay aware of possible risks that may result from exposure to disturbing digital material, wherever it is encountered.=

Xenos298 March 15, 2022 9:49 AM

I always wondered what would happen if a popular DJ or podcaster said “Alexa…MAXIMUM VOLUME!” over the air. How many Alexa users would be instantly impacted.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.