Smart speakers are very popular nowadays. They are used for various purposes. But initially, Amazon created its much-popular Echo to boost sales on Amazon. For instance, the Amazon Echo, like other smart speakers, comes with a built-in voice assistant. The latter can recognize the voice and perform various actions. Say, it can make purchases based on our voice commands, control smart home appliances, etc. But what if it goes crazy and does things we don’t want?
What Is AVA?
Recently, two tech enthusiasts Sergio Esposito and Daniele Sgandurra of the Royal Holloway University of London, and Giampaolo Bella of the University of Catania, Italy conducted an interesting test. They called it “Alexa versus Alexa (AVA)”. According to these guys, the smart speakers (the Amazon Echo in this case) can attack themselves with a voice command. And no matter where the voice command comes – from a person or another device.
Further Reading: Select Amazon Echo Speakers Will Now Be Able To Detect People
“AVA” is a new form of attack that utilizes the vulnerability of the so-called “self-issued commands”. In effect, the Amazon Echo will interpret voice commands sent from voice files. So it can be attacked even if the commands come from a terminal, including itself.
Amazon Echo Can Attack Itself
What’s worse, there are two additional vulnerabilities of Amazon Echo, “Full Volume” and “Break Tag Chain”, that help the attackers act more effectively. As for the former vulnerability, it doubles the recognition rate of self-issued commands on average. The second vulnerability allows the speaker to do any action not in 8 seconds but in an hour. Thus, attackers can do anything they want.
All these “features” will help attackers to control the Amazon Echo for a long time. Interestingly, when it was reported via Amazon’s vulnerability investigation program, this vulnerability was rated as “Medium”. We guess the reason is that the attacker should be close to the victim terminal even for a short time. Otherwise, attackers won’t be able to pair with Echo via Bluetooth. Thus, it must be within the possible range and cannot use files sent through the Internet.
Amazon has already addressed some vulnerabilities. But the Amazon Echo is not completely safe yet. So we recommend to mute the microphone except when actively using Amazon Echo.