Amazon Alexa can be hijacked via commands from own speaker

This isn't the artificial intelligence we were promised

Updated Without a critical update, Amazon Alexa devices could wake themselves up and start executing audio commands issued by a remote attacker, according to infosec researchers at Royal Holloway, University of London.

By exploiting a now-patched vulnerability, a malicious person with some access to a smart speaker could broadcast commands to itself or to other smart speakers nearby, allowing said miscreant to start "smart appliances within the household, buy unwanted items, tamper [with] linked calendars and eavesdrop on the [legitimate] user."

These were the findings of RHUL researchers Sergio Esposito and Daniele Sgandurra, working with Giampaolo Bella of Italy's Catania University. They discovered the flaw, nicknamed Alexa versus Alexa (AvA), describing it as "a command self-issue vulnerability."

"Self-activation of the Echo device happens when an audio file reproduced by the device itself contains a voice command," the researchers said.

The pair said they'd confirmed AvA affected both third- and fourth- generation (the latest release, first shipped in September 2020) Echo Dot devices.

Triggering the attack is as simple as using an Alexa-enabled device to start playing crafted audio files to itself, which the researchers suggested in their paper could be hosted on an internet radio station tunable by an Amazon Echo. In this scenario, a malicious person would simply need to tune the internet radio station (essentially a command-and-control server, in infosec argot) to achieve control over the device.

Executing the attack requires exploitation of Amazon Alexa Skills. These, as Amazon explains, "are like apps that help you do more with Alexa. You can use them to play games, listen to podcasts, relax, meditate, order food, and more."

Here's a flowchart from the paper on how to pull off the AvA technique:

Flowchart of an Alexa v Alexa attack

How to pull off an Alexa versus Alexa attack using a malicious radio station and skill ... Click to enlarge

As you can see, it's a neat way to get around some of the security of the device, depending on the situation. It's a novel method for taking control of a person's Alexa box if you, for instance, trick your victim into running a skill that plays a malicious internet radio station.

Sergio Esposito, one of the research team, told The Register that Speech Synthesis Markup Language (SSML) gave them another route for exploitation with skills, separate from the radio streaming approach. He explained: "It is a language that allows developers to program how Alexa will talk in certain situations, for example. An SSML tag could say that Alexa would whisper or maybe speak with a happy mood."

An SSML break tag, he told us, allowed natural-sounding pauses in scripts read out by Alexa to be extended to an hour long, meaning Alexa was no longer listening to the user's inputs: "So, an attacker could use this listening feature to set up a social engineering scenario in which the skill pretends to be Alexa and replies to the user's utterances as if it was Alexa."

Anyone can create a new Alexa Skill and publish it on the Alexa Skill store; as an example, while briefly reviewing Amazon UK's Skill store, The Register found a Skill on the first page which reads out the lunch menu at a high school in northern India. Skills don't need any special privileges to run on an Alexa-enabled device, though Amazon says it vets them before letting them go live.

Amazon patched most of the vulns except for one where a Bluetooth-paired device could play crafted audio files over a vulnerable Amazon Echo speaker, Esposito told us. The threat model there involves a malicious person being close enough to connect to the speaker (Bluetooth range is about 10m); in that case you may have bigger problems than someone being able to remotely turn your dishwasher on.

One vuln in particular, tracked as CVE-2022-25809, was assigned a medium severity according to the researchers. A US National Vulnerability Database entry described it as "improper neutralization of audio output" and said it affected "3rd and 4th Generation Amazon Echo Dot devices," allowing "arbitrary voice command execution on these devices via a malicious 'Skill' (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an 'Alexa versus Alexa (AvA)' attack."

Alexa-enabled devices receive software updates automatically when connected to the internet. You can also use Alexa itself to update to the latest software version for an Echo device, according to Amazon.

"Say, 'Check for software updates' to install software on your Echo device," the vendor suggests.

The researchers are due to present their findings in May at the AsiaCCS conference but curious readers can read all about it on their website.

We have asked Amazon for comment and will update this article if it responds. ®

Updated to add

An Amazon spokeswoman told The Register: "At Amazon, privacy and security are foundational to how we design and deliver every device, feature, and experience. We appreciate the work of independent security researchers who help bring potential issues to our attention, and are committed to working with them to secure our devices. We fixed the remote self-wake issue with Alexa Skills caused by extended periods of silence resulting from break tags as demonstrated by the researchers. We also have systems in place to continually monitor live skills for potentially malicious behavior, including silent re-prompts. Any offending skills we identify are blocked during certification or quickly deactivated, and we are constantly improving these mechanisms to further protect our customers."

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Amazon fears it could run out of US warehouse workers by 2024
    Internal research says the hiring pool has already dried up in a number of locations stateside

    Jeff Bezos once believed that Amazon's low-skill worker churn was a good thing as a long-term workforce would mean a "march to mediocrity." He may have to eat his words if an internal memo is accurate.

    First reported by Recode, the company's 2021 research rather bluntly says: "If we continue business as usual, Amazon will deplete the available labor supply in the US network by 2024."

    Some locations will be hit much earlier, with the Phoenix metro area in Arizona expected to exhaust its available labor pool by the end of 2021. The Inland Empire region of California could reach breaking point by the close of this year, according to the research.

    Continue reading
  • Amazon shows off robot warehouse workers that won't complain, quit, unionize...
    Mega-corp insists it's all about 'people and technology working safely and harmoniously together'

    Amazon unveiled its first "fully autonomous mobile robot" and other machines designed to operate alongside human workers at its warehouses.

    In 2012 the e-commerce giant acquired Kiva Systems, a robotics startup, for $775 million. Now, following on from that, Amazon has revealed multiple prototypes powered by AI and computer-vision algorithms, ranging from robotic grippers to moving storage systems, that it has developed over the past decade. The mega-corporation hopes to put them to use in warehouses one day, ostensibly to help staff lift, carry, and scan items more efficiently. 

    Its "autonomous mobile robot" is a disk-shaped device on wheels, and resembles a Roomba. Instead of hoovering crumbs, the machine, named Proteus, carefully slots itself underneath a cart full of packages and pushes it along the factory floor. Amazon said Proteus was designed to work directly with and alongside humans and doesn't have to be constrained to specific locations caged off for safety reasons. 

    Continue reading
  • Amazon not happy with antitrust law targeting Amazon
    We assume the world's smallest violin is available right now on Prime

    Updated Amazon has blasted a proposed antitrust law that aims to clamp down on anti-competitive practices by Big Tech.

    The American Innovation and Choice Online Act (AICOA) led by Senators Amy Klobuchar (D-MN) and House Representative David Cicilline (D-RI) is a bipartisan bill, with Democrat and Republican support in the Senate and House. It is still making its way through Congress.

    The bill [PDF] prohibits certain "online platforms" from unfairly promoting their own products and services in a way that prevents or hampers third-party businesses in competing. Said platforms with 50 million-plus active monthly users in the US or 100,000-plus US business users, and either $550 billion-plus in annual sales or market cap or a billion-plus worldwide users, that act as a "critical trading partner" for suppliers would be affected. 

    Continue reading
  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading
  • Amazon accused of obstructing probe into deadly warehouse collapse
    House Dems demand documents from CEO on facility hit by tornado – or else

    Updated The US House Oversight Committee has told Amazon CEO Andy Jassy to turn over documents pertaining to the collapse of an Amazon warehouse – and if he doesn't, the lawmakers say they will be forced to "consider alternative measures."

    Penned by Oversight Committee members Alexandria Ocasio-Cortez (D-NY), Cori Bush (D-MO) and committee chairwoman Carolyn B. Maloney (D-NY), the letter refers to the destruction of an Edwardsville, Illinois, Amazon fulfillment center in which six people were killed when a tornado hit. It was reported that the facility received two weather warnings about 20 minutes before the tornado struck at 8.27pm on December 10; most staff had headed to a shelter, some to an area where there were no windows but was hard hit by the storm.

    In late March, the Oversight Committee sent a letter to Jassy with a mid-April deadline to hand over a variety of documents, including disaster policies and procedures, communication between managers, employees and contractors, and internal discussion of the tornado and its aftermath.

    Continue reading
  • Engineer sues Amazon for not covering work-from-home internet, electricity bills
    And no, I'm not throwing out this lawsuit, says judge

    Amazon's attempt to dismiss a lawsuit, brought by one of its senior software engineers, asking it to reimburse workers for internet and electricity costs racked up while working from home in the pandemic, has been rejected by a California judge.

    David George Williams sued his employer for refusing to foot his monthly home office expenses, claiming Amazon is violating California's labor laws. The state's Labor Code section 2802 states: "An employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer."

    Williams reckons Amazon should not only be paying for its techies' home internet and electricity, but also for any other expenses related to their ad-hoc home office space during the pandemic. Williams sued the cloud giant on behalf of himself and over 4,000 workers employed in California across 12 locations, arguing these costs will range from $50 to $100 per month during the time they were told to stay away from corporate campuses as the coronavirus spread.

    Continue reading
  • Amazon’s Kindle bookstore to quit China
    Local authorities insist the next chapter is not a collapse in foreign investment has decided to end its Kindle digital book business in China.

    A statement posted to the Kindle China WeChat account states that Amazon has already stopped sending new Kindle devices to resellers and will cease operations of the Kindle China e-bookstore on June 30, 2023. The Kindle app will last another year, allowing users to download previously purchased e-books. But after June 30, 2024, Kindle devices in China won’t be able to access content.

    An accompanying FAQ doesn’t offer a reason for the decision, but an Amazon spokesperson told Reuters “We periodically evaluate our offerings and make adjustments, wherever we operate.”

    Continue reading

Biting the hand that feeds IT © 1998–2022