Wednesday, 9 March 2022

Alexa Can Be Made to Hack Itself

(Photo: Rahul Chakraborty/Unsplash)
In this week’s edition of “Alexa news that will make you shake your head,” researchers have found that Amazon’s infamous Echo smart speaker can be directed to hack itself.

A team of academic researchers from London’s Royal Holloway University and Italy’s University of Catania have confirmed that Alexa will follow its own commands, as long as those commands start with the speaker’s wake word. (Echo users currently have the choice whether their device listens for “Alexa” or “Echo.”) In an unfortunate phenomenon dubbed “Alexa vs. Alexa,” or AvA, Echo users and hackers alike can take advantage of Alexa’s full voice vulnerability (FVV) to force the device to make self-issued commands without adjusting for volume as it normally would. Alexa then hears and executes the command as if it had been given by an actual person.

This is an easy vulnerability to exploit. The researchers found that bad actors need only a few seconds within close proximity of an active Echo device to issue a voice command that pairs it with their own device, allowing the bad actor to control Alexa using text-to-speech as long as they’re within radio range of each other. This is possible with both 3rd- and 4th-generation Echo Dot devices.

Thanks to how interconnected smart speakers are with various facets of our personal lives (after all, that’s kind of the point), a hacker who’s gained control of someone’s Echo device is capable of meddling with everything from the victim’s productivity tools and finances to the other devices in their home. Tests found that hackers could “control smart lights with a 93 percent success rate, successfully buy unwanted items on Amazon 100 percent of the time, and tamper [with] a linked calendar with 88 percent success rate.” If a command needed confirmation in order to proceed, all the hacker needed to do was include “yes” in their command about six seconds after their initial statement. Even “skills” could be impersonated, allowing the hacker to obtain the device owner’s personal data and passwords. 

The authors of the research paper have reported these gaps and provided possible countermeasures to Amazon’s Vulnerability Research Program, which rated them with a medium severity score and stated it is working toward a solution.

Now Read:



No comments:

Post a Comment