Alexa devices can be hacked into talking to each other

The Amazon Echo smart speakers and smart displays can be maliciously controlled with an attack that has been called Alexa vs Alexa, precisely because it uses the voice assistant to take possession of the various home automation functions associated with a sort of self-hack through orders. self-imparted by smart speakers. As told by the teams of researchers from the Royal Holloway University of London and the University of Catania who discovered and reported the problem, this could be used to unlock and open doors, make calls to dangerous numbers or unauthorized purchases. A patch has been released, but it only corrects part of the problems.

To exploit the vulnerability called Alexa vs Alexa (AvA) you need an audio file that acts as a switch and that contains a specific voice command and you execute it through Alexa skills, i.e. additional app-like capabilities to expand the potential of the voice assistant. The cybercriminal could rely on a malicious web radio or impersonate Alexa herself via a so-called ssml (speech synthesis markup language) tag for converting text into speech.

Content This content can also be viewed on the site it originates from.

The researchers tested the vulnerability by managing to control connected appliances, but also heating systems and smart locks and in the event of a confirmation request from Echo it was sufficient to respond with a " Yes "after a few seconds. It was possible to make calls to ad hoc numbers, complete unauthorized purchases and modify calendar events.

Arxiv

How to protect yourself? Amazon has already released a patch that partially corrects this problem and since the Echo smart speakers and smart displays update automatically it is not necessary to do anything. However, a vulnerability still remains uncovered or if the potential attacker is within bluetooth range (about 10 meters) he may still have the ability to play an audio file to activate the attack and exploit its wide potential.