Last Updated: Mar 08, 2022

The Academic Researchers at the University of Cambridge have created an innovative working technique that commandeers Amazon Echo intelligent speakers and allows them to make phone calls, open doors, and control microwave ovens, furnaces, and other intelligent devices.

The attack is carried out by using the device’s speaker to announce voice commands. As long as the speech includes the device’s name (usually “Echo” or “Alexa”) followed by a valid order, the Echo will carry it out, researchers from Italy’s University of Catania and Royal Holloway University in London found. When devices require a verbal confirmation before making sensitive commands, it is not difficult to bypass the measure by adding the word “yes” approximately six seconds after issuing the order. Hackers can also have the ability to take advantage of what researchers refer to as the complete voice vulnerability or “FVV,” which permits Echos to make self-issued commands without reducing the device’s volume.

Alexa, go hack yourself:- Because the malware utilizes Alexa technology to force devices to make self-issued commands, the researchers have dubbed it “AvA,” short for Alexa vs. Alexa. It only requires just a few seconds of proximity to a vulnerable device. At the same time, it turns on so that attackers can speak a voice command to instruct Alexa to connect with an attacker’s Bluetooth-enabled machine. If the device is in the radio range of Echo, the attacker can issue commands.

It is the first attack to take advantage of the vulnerability in self-response to unintended commands on Echo devices, which allows attackers to control the devices for an extended period duration,” the researchers wrote in the paper that was published just two weeks ago. ”

It “is the first attack to take advantage of the vulnerability in self-response to unintended commands on Echo devices, which allows attackers to control the devices for a long period duration,” scientists wrote in the paper that was published just two weeks ago. “With this work, we eliminate the requirement of having an external speaker near to the target device, increasing the overall likelihood of the attack.”

The researchers have confirmed the attacks are effective against 4th and 3rd generation Echo Dot devices. A variant of the attack makes use of the malicious radio station to make the self-issued commands. That attack is no more feasible in the manner described in the paper following the security patches that the Echo maker Amazon issued in response to the study.

AvA starts when an infected Echo device is connected via Bluetooth to the attacker’s machine. From there, the attacker can use a text-to-speech app or any other method to broadcast voice commands.

The researchers found they could use AvA to force devices to perform a range of commands, many having strict privacy or security risks. The most likely malicious actions are:

Make calls to any number, even that is in control of the attacker, which means you can listen to conversations in the vicinity. Although Echos uses light to show that they are making a call, the devices are not always visible to the user, and those who are less experienced users may not understand what the light is indicating.

They control other smart appliances such as turning on the smart microwave, turning off the lights, unlocking smart doors. As mentioned earlier, when the Echos require confirmation, the adversary needs to add a “yes” to the command within six seconds after the request.

Modifying a user’s previously linked calendar to move, add, delete, or alter the events.

They are making unauthorized purchases through the victim’s Amazon account. Although Amazon sends an email to inform the victim about the purchase, the email may miss, or the customer might lose faith in Amazon.

Find all the words spoken during the attack by the victim. They are using what the researchers call a “mask attack” an attacker could take command inputs and store the commands in databases. It may allow the attacker to access private information, gather data on abilities, and even infer user habits.

Find all the words spoken during the attack by the target. Using what the researchers refer to as the “mask attack,” an attacker could take command inputs and store the commands in databases. It may allow the attacker to access private information, gather data on abilities, and even infer the user’s habits.

In 2019, the various teams of researchers showed how the Google Assistant, Siri, Alexa were vulnerable to attacks that used low-powered lasers to insert inaudible-and sometimes invisible commands into the devices and surreptitiously cause them to visit websites, start the vehicle, unlock doors. The laser can be 360 feet away from a susceptible device. The –light-based commands can also send from one building to another, penetrating glass when the susceptible device is located near the window.

The researchers wrote that it is impossible to self-issue any command on the informational website. If the microphone is unmated only when the user is near Echo, the user will hear the self-issued commands.

The user can always exit a skill by saying, “Alexa, Cancel or Alexa, quiet.” Also, the user can enable the audible indicator that plays after the Echo device detects the wake word.

The degree of the threat posed by AvA has been classified as “medium” by Amazon. Because Bluetooth connection requires only brief proximity to the device, AvA vulnerabilities do not work over the Internet, and even if an adversary successfully links the Echo with a Bluetooth device, the latter must remain within radio range. Domestic abusers, hostile insiders, or others with sporadic access to a vulnerable Echo may still be able to carry out the attack.


ABOUT AUTHOR