Putting the echo in Amazon’s Echo, an exploit was found that enabled hackers to force the smart speaker to issue commands to itself.
Security researchers Sergio Esposito and Daniele Sgandurra of Royal Holloway University and Giampaolo Bella of the University of Catania reported that by hijacking the smart speaker, hackers could issue malicious commands like unlocking doors, making phone calls and even making unauthorised purchases.
Ars Technica reported that the hack requires the attacker to get close enough to give a voice command for the smart speaker to pair with their Bluetooth-enabled device.
After that the hacker can use a text-to-speech app or other means to stream voice commands. As long as it uses a wake word followed by a permissible command, the Echo will carry it out.
Because of how the exploit pits the device against itself, the researchers dubbed it “AvA”, short for Alexa vs Alexa.
They added that this was the first attack that exploited the vulnerability of self-issuing arbitrary commands, making it easier than the previous method of placing another speaker nearby which issued the malicious commands.
While sensitive commands require virtual confirmation, this can be bypassed by adding the word “yes” after about six seconds after the initial command, tricking the device into thinking it was a reply by the owner.
A compromised device may also record victims’ orders, making a profile of the user’s habits or picking up on sensitive data like passwords or financial information.
Another problem is that devices which have access to the user’s Amazon account can be used to make unauthorised purchases. Though an email notification is sent out, users may miss the notice.
Amazon responded to Ars Technica that it was aware of the research and has issued security patches to protect against the exploit, while 3rd- and 4th-generation Echo Dot devices are not affected by the device.
Users were also recommended to mute the device’s microphone when not in use or set voice PINs as verification for sensitive commands like shopping instructions.