Researchers uncover smart speaker hack that forces device to speak to itself

The Amazon Echo smart speaker vulnerability enables hackers to use the device to issue malicious commands to itself, like making calls or unauthorised purchases. — Amazon

Putting the echo in Amazon’s Echo, an exploit was found that enabled hackers to force the smart speaker to issue commands to itself.

Security researchers Sergio Esposito and Daniele Sgandurra of Royal Holloway University and Giampaolo Bella of the University of Catania reported that by hijacking the smart speaker, hackers could issue malicious commands like unlocking doors, making phone calls and even making unauthorised purchases.

Ars Technica reported that the hack requires the attacker to get close enough to give a voice command for the smart speaker to pair with their Bluetooth-enabled device.

After that the hacker can use a text-to-speech app or other means to stream voice commands. As long as it uses a wake word followed by a permissible command, the Echo will carry it out.

Because of how the exploit pits the device against itself, the researchers dubbed it “AvA”, short for Alexa vs Alexa.

They added that this was the first attack that exploited the vulnerability of self-issuing arbitrary commands, making it easier than the previous method of placing another speaker nearby which issued the malicious commands.

While sensitive commands require virtual confirmation, this can be bypassed by adding the word “yes” after about six seconds after the initial command, tricking the device into thinking it was a reply by the owner.

A compromised device may also record victims’ orders, making a profile of the user’s habits or picking up on sensitive data like passwords or financial information.

Another problem is that devices which have access to the user’s Amazon account can be used to make unauthorised purchases. Though an email notification is sent out, users may miss the notice.

Amazon responded to Ars Technica that it was aware of the research and has issued security patches to protect against the exploit, while 3rd- and 4th-generation Echo Dot devices are not affected by the device.

Users were also recommended to mute the device’s microphone when not in use or set voice PINs as verification for sensitive commands like shopping instructions.

Article type: free
User access status:
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Tech News

As they enter a 4th generation, are foldable phones finally mature?
This free tool lets you extract text from images
Google Stadia is dead, but its controllers live on
Twitter says users will be able to appeal account suspension
New smart-home standard for Android and Google devices has arrived
In NBA version of 'Pok�mon Go' you seek basketball pros, not monsters
U.S. SEC probes Elon Musk's role in Tesla self-driving claims - Bloomberg News
Twitter research group stall complicates compliance with new EU law
Top French university bans use of ChatGPT to prevent plagiarism
Man in SG admits to sexually exploiting minors, including two sisters he met on boy band fans’ chat group

Others Also Read