Researchers uncover smart speaker hack that forces device to speak to itself

The Amazon Echo smart speaker vulnerability enables hackers to use the device to issue malicious commands to itself, like making calls or unauthorised purchases. — Amazon

Putting the echo in Amazon’s Echo, an exploit was found that enabled hackers to force the smart speaker to issue commands to itself.

Security researchers Sergio Esposito and Daniele Sgandurra of Royal Holloway University and Giampaolo Bella of the University of Catania reported that by hijacking the smart speaker, hackers could issue malicious commands like unlocking doors, making phone calls and even making unauthorised purchases.

Ars Technica reported that the hack requires the attacker to get close enough to give a voice command for the smart speaker to pair with their Bluetooth-enabled device.

After that the hacker can use a text-to-speech app or other means to stream voice commands. As long as it uses a wake word followed by a permissible command, the Echo will carry it out.

Because of how the exploit pits the device against itself, the researchers dubbed it “AvA”, short for Alexa vs Alexa.

They added that this was the first attack that exploited the vulnerability of self-issuing arbitrary commands, making it easier than the previous method of placing another speaker nearby which issued the malicious commands.

While sensitive commands require virtual confirmation, this can be bypassed by adding the word “yes” after about six seconds after the initial command, tricking the device into thinking it was a reply by the owner.

A compromised device may also record victims’ orders, making a profile of the user’s habits or picking up on sensitive data like passwords or financial information.

Another problem is that devices which have access to the user’s Amazon account can be used to make unauthorised purchases. Though an email notification is sent out, users may miss the notice.

Amazon responded to Ars Technica that it was aware of the research and has issued security patches to protect against the exploit, while 3rd- and 4th-generation Echo Dot devices are not affected by the device.

Users were also recommended to mute the device’s microphone when not in use or set voice PINs as verification for sensitive commands like shopping instructions.

Article type: free
User access status:
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Tech News

The EV Race is turning�a gold rush haven into a battery hub
Australia's central bank launches digital currency project
Avalara to go private in $8.4 billion deal with Vista with direct lenders' help
New guilty plea in BitMEX crypto exchange laundering case
U.S. imposes sanctions on virtual currency mixer Tornado Cash
Cox Enterprises acquires digital media firm Axios
Nvidia expects second-quarter revenue to drop on gaming weakness
Qualcomm to spend $4.2 billion more on chips from GlobalFoundries
Palantir cuts revenue forecast, says govt contracts timing 'uncertain'
Crypto platform Zipmex to start releasing Bitcoin, Ether for customers

Others Also Read