{"id":2404,"date":"2022-03-08T21:21:36","date_gmt":"2022-03-09T04:21:36","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=2404"},"modified":"2022-03-08T21:21:39","modified_gmt":"2022-03-09T04:21:39","slug":"alexa-vs-alexa-new-vulnerability-with-the-amazon-echo","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/03\/08\/alexa-vs-alexa-new-vulnerability-with-the-amazon-echo\/","title":{"rendered":"Alexa vs. Alexa: New Vulnerability With the Amazon Echo?"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Alexa might not need your voice command to play Despacito anymore! A new vulnerability, that can be exploited in the Amazon Echo has been found by researchers at the University of London and University of Milan (this will also be referred to as Esposito et al. in the future). <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-src=\"https:\/\/cdn.vox-cdn.com\/thumbor\/IXtCSB87q4u-KK3YDXeCI9d2-TI=\/0x0:1920x1080\/1200x800\/filters:focal(807x387:1113x693)\/cdn.vox-cdn.com\/uploads\/chorus_image\/image\/67463013\/msedge_X9RFhS71eu.0.jpg\" alt=\"\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" \/><figcaption><em>Retrieved from: https:\/\/www.theverge.com\/2020\/9\/24\/21452347\/amazon-echo-4th-generation-features-price-release-date-alexa<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The Amazon Echo, similar to the Google Home, is a smart speaker. It operates through voice commands, and is able to do a plethora of tasks, including controlling household &#8220;smart&#8221; appliances, setting alarms, sending emails, shopping, and playing music. Because of the large presence, and access the Amazon Echo has on personal information, any vulnerabilities could have disastrous consequences.<\/p>\n\n\n\n<h2 class=\"has-large-font-size wp-block-heading\">What is Alexa vs. Alexa (AvA)?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Alexa vs. Alexa, or AvA, is a new term coined by Esposito et al., and entails multiple different ways that the Amazon Echo in particular can be subject to malicious attackers, but this can also likely apply to other smart speakers as well. It works by making Alexa, the virtual assistant in the Amazon Echo, say commands to itself, making it possible to alter emails, smart appliances, and buy products off of Amazon, all unauthorized. This can work through either a Bluetooth device, or through radio.<\/p>\n\n\n\n<h2 class=\"has-large-font-size wp-block-heading\">What about requiring verbal confirmation\/volume decreases?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The researchers were able to negate the requirement of confirmation for some commands by having Alexa say yes after a pause. In order to combat the volume decrease that arises when the Echo perceives someone speaking, they are able to take advantage of a vulnerability known as the <em>Full Volume Vulnerability<\/em>, which actually stops the Echo from turning the volume down.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" data-src=\"https:\/\/media.wired.com\/photos\/5b6e028c61743303b6869fb7\/1:1\/w_1800,h_1800,c_limit\/echo_final1-01.jpg\" alt=\"\" width=\"664\" height=\"664\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" style=\"--smush-placeholder-width: 664px; --smush-placeholder-aspect-ratio: 664\/664;\" \/><figcaption><em>Retrieved from: https:\/\/www.wired.com\/story\/hackers-turn-amazon-echo-into-spy-bug\/<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"has-large-font-size wp-block-heading\">Invasion of Privacy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If that wasn&#8217;t enough, malicious attackers could also make an application that runs in the background, while it can overhear your commands. It then responds to your commands in the voice of Alexa in such a way that while eavesdropping, can make it seem as though you are just interacting with Alexa. This can allow for multiple issues: attackers can listen in on all information, potentially sensitive, provided, and they can provide you with incorrect information, such that it removes suspicion. <\/p>\n\n\n\n<h2 class=\"has-large-font-size wp-block-heading\">What does this look like?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s a video of the authors demonstrating how the various commands work:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Alexa versus Alexa - Demo\" width=\"640\" height=\"360\" data-src=\"https:\/\/www.youtube.com\/embed\/t-203SV_Eg8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" data-load-mode=\"1\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"has-large-font-size wp-block-heading\">Are there any weaknesses to this attack?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A clear weakness that presents itself is that due to the nature of Bluetooth, if using this method, attackers need to be near the Echo to go through with the attack. Additionally, in response to the paper, Amazon had changed functionality to make the Echo resistant to commands presented through a radio. <\/p>\n\n\n\n<h2 class=\"has-large-font-size wp-block-heading\">How can I protect myself?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A recommendation presented by the authors is that in order to reduce the likelihood of these attacks occurring, it is very important to <strong>mute your microphones when not using the Echo<\/strong>, or set it so that the microphone only turns on when you are near it, so that you can hear commands if they arise. Additionally, through the Alexa app, you can delete voice recordings, reducing the likelihood of commands coming from the Echo itself, and it is possible to cancel a skill by giving a verbal command. <\/p>\n\n\n\n<h2 class=\"has-large-font-size wp-block-heading\">References<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/arstechnica.com\/information-technology\/2022\/03\/attackers-can-force-amazon-echos-to-hack-themselves-with-self-issued-commands\/\">https:\/\/arstechnica.com\/information-technology\/2022\/03\/attackers-can-force-amazon-echos-to-hack-themselves-with-self-issued-commands\/<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/arxiv.org\/pdf\/2202.08619.pdf\">https:\/\/arxiv.org\/pdf\/2202.08619.pdf<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.bitdefender.com\/blog\/hotforsecurity\/alexa-hack-yourself-researchers-describe-new-exploit-that-turns-smart-speakers-against-themselves\/\">https:\/\/www.bitdefender.com\/blog\/hotforsecurity\/alexa-hack-yourself-researchers-describe-new-exploit-that-turns-smart-speakers-against-themselves\/<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.tomsguide.com\/news\/amazon-echo-security-loophole-exploited-to-make-them-hack-themselves\">https:\/\/www.tomsguide.com\/news\/amazon-echo-security-loophole-exploited-to-make-them-hack-themselves<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Alexa might not need your voice command to play Despacito anymore! A new vulnerability, that can be exploited in the Amazon Echo has been found by researchers at the University of London and University of Milan (this will also be referred to as Esposito et al. in the future). The Amazon Echo, similar to the &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/03\/08\/alexa-vs-alexa-new-vulnerability-with-the-amazon-echo\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Alexa vs. Alexa: New Vulnerability With the Amazon Echo?&#8221;<\/span><\/a><\/p>\n","protected":false},"author":430,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-2404","post","type-post","status-publish","format-standard","hentry","category-cpsc-329-602-w22","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Simran Chahal","author_link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/author\/simran-chahal\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/users\/430"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/comments?post=2404"}],"version-history":[{"count":4,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2404\/revisions"}],"predecessor-version":[{"id":2415,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2404\/revisions\/2415"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/media?parent=2404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/categories?post=2404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/tags?post=2404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}