Security flaw affecting Amazon Echo devices warning

Views:

You see this notification pop up:

"Security flaw affecting Amazon Echo devices.

A recently discovered Amazon Echo device vulnerability allows attackers to control your device by using pre-recorded voice commands."

Why did this happen?

Trend Micro Home Network Security alerted you to a recently discovered Amazon Echo device vulnerability called Alexa versus Alexa (AvA) that allows attackers to control your device using pre-recorded voice commands.

What is the issue?

Smart speakers are designed to wait for you to say an activation phrase such as "Alexa" or "Echo" for Amazon Echo devices. However, researchers found out that an affected Amazon Echo device can perform “self-waking” when the device reproduces an audio file that contains a voice command.

To exploit this vulnerability, an attacker needs to be near your Amazon Echo device to pair their smartphone or laptop with your device via Bluetooth.

Another way an attacker can exploit the vulnerability is by having your Amazon Echo device tuned in to a malicious Internet radio station. Amazon has fixed this particular way already.

Check out this video on how AvA works: Alexa versus Alexa Demo.

What are its risks?

Using the AvA attack, attackers could perform a range of malicious actions:

Control other smart appliances, such as lights and smart door locks.
Call attacker-controlled phone numbers to eavesdrop on you.
Order items on Amazon using your account.
Control skills to obtain personal information.
Record your commands to extract sensitive private data and analyze your habits.

What should I do next?

According to Amazon, they have already fixed the remote self-wake issue with Alexa skills. They continually monitor live skills to check for any potentially malicious behavior. Once they find an offending skill, they block or deactivate it during certification. They are always striving to enhance their customers’ protection.

We recommend you update any Amazon Echo device to its latest software version by saying "Check for software updates" to your Amazon Echo device.

You can find the list of the latest Alexa device software here.

Keywords: ava,bt,bluetooth,voice control, Amazon Echo devices can be hijacked using commands from their speakers

Comments (0)

What is the issue?

To exploit this vulnerability, an attacker needs to be near your Amazon Echo device to pair their smartphone or laptop with your device via Bluetooth.

Another way an attacker can exploit the vulnerability is by having your Amazon Echo device tuned in to a malicious Internet radio station. Amazon has fixed this particular way already.

Check out this video on how AvA works: Alexa versus Alexa Demo.

What are its risks?

Using the AvA attack, attackers could perform a range of malicious actions:

Control other smart appliances, such as lights and smart door locks.

Call attacker-controlled phone numbers to eavesdrop on you.

Order items on Amazon using your account.

Control skills to obtain personal information.

Record your commands to extract sensitive private data and analyze your habits.

What should I do next?

You can find the list of the latest Alexa device software here.

How helpful was this article?

It was very unhelpful.
It wasn't helpful at all.
It was not helpful.
Somewhat helpful.
Just okay.
Just okay.
It was helpful.
It was somewhat helpful.
It was very helpful.
It was helpful.

Thank you for your feedback!

Feedback entity isn't available at the moment. Try again later.

⚠️ ADVISORY ⚠️

Security flaw affecting Amazon Echo devices warning

Why did this happen?

What is the issue?

What are its risks?

What should I do next?

Modal header

Why did this happen?

What is the issue?

What are its risks?

What should I do next?