[REVIEW] : Attackers could force Amazon Echo connected speakers to unlock doors
University researchers have developed a functional new hack that commandeers Amazon Echo connected speakers and forces them to unlock doors, make unauthorized phone calls and purchases, and control ovens, microwave ovens, and microwaves. waves and other connected devices.
The hack works by using the device’s speaker to issue voice commands. As long as the speech contains the device’s wake word (usually “Alexa” or “Echo”) followed by an authorized command, the Echo will execute it, researchers from Royal Holloway University in London and from the Italian University of Catania. Even when devices require verbal confirmation before executing sensitive commands, it’s trivial to circumvent the measure by adding the word “yes” about six seconds after the command is issued. Attackers can also exploit what researchers call the “FVV” for full voice vulnerability, which allows Echos to perform self-spoken commands without temporarily lowering the volume of the device.
Because the hack uses Alexa functionality to force devices to perform auto-issued commands, researchers dubbed it “AvA,” short for Alexa vs. Alexa. It only requires a few seconds of proximity to a vulnerable device when turned on in order for an attacker to speak a voice command asking it to pair with an attacker’s Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands.
The attack “is the first to exploit the vulnerability of auto-issued arbitrary commands on Echo devices, allowing an attacker to control them for an extended period of time,” the researchers wrote in a post. “With this work, we’re removing the need to have an external speaker near the target device, increasing the overall likelihood of the attack.”
A variant of the attack uses a malicious radio station to generate the auto-issued commands. This attack is no longer possible as stated in the article following security patches released by Amazon, the maker of Echo, in response to the research. Researchers have confirmed that the attacks work against 3rd and 4th generation Echo Dot devices.
Researchers found they could use AvA to force devices to execute a host of commands, many of which had serious privacy or security implications. Possible malicious actions include:
- control other connected devices for example to turn off lights, turn on a connected microwave oven, set the heating to a dangerous temperature or unlock connected door locks. As noted earlier, when echoes require confirmation, the adversary only needs to add a “yes” to the command approximately six seconds after the request;
- call any phone number, including the one controlled by the attacker, so that nearby sounds can be heard. While Echos use a light to indicate they’re making a call, the devices aren’t always visible to users, and less experienced users may not know what the light means;
- making unauthorized purchases using the victim’s Amazon account. Although Amazon will send an email notifying the victim of the purchase, the email may be missed or the user may lose trust in Amazon. Alternatively, attackers can also delete items already present in the account’s cart;
- alter a user’s previously linked calendar to add, move, delete, or modify events;
- impersonate skills or cast any skill of the attacker’s choice. This, in turn, could allow attackers to obtain passwords and personal data. For the record, skills are, in a way, the equivalent of mobile applications. Skills add new functionality to Alexa. They allow you to personalize the use of your Amazon Echo or your devices that integrate Alexa;
- retrieve all the utterances spoken by the victim. Using what the researchers call a “cloaked attack”, an attacker can intercept commands and store them in a database. This could allow the attacker to extract private data, gather information about skills used, and infer user habits.
5 Alexa features that make working from home easier
If the telework has historically struggled to find its place in France, the covid-19 pandemic completely changed the game. For the past two years, teleworking has imposed itself on many companies, requiring them and their employees to review their organization. Since then, we have faced several waves that require reactivating teleworking regularly… But this has also been a real lever for the role of the telecommuting in France. Most companies now have real agreements for working from home and many have benefited from an amendment to their contract to benefit from 2 or 3 days of teleworking per week.
1. Let Alexa remind you of your meetings throughout the day
You may not know it, but it is possible to sync your calendar with Alexa. Whether Apple, Google Where Microsoft 365it is possible to synchronize your calendar with your Amazon voice assistant. You will then be notified by your smart speaker of all the events of the day. Very practical, because you can combine several agendas, professional and personal for example, and will always stay informed of the different events throughout the day.
2. Ask Alexa to remind you to take breaks
This is undoubtedly one of the major drawbacks of teleworking, you quickly lose the notion of time. There is indeed not the colleague who passes by to offer you a coffee before the 10 a.m. meeting, or that other colleague who passes by to ask you what time you take the lunch break to eat with you. In telework, we are often head in the handlebars and time passes without realizing it. We often chain Teams, Meet, Zoom and others… And we forget to take a break! So ask Alexa to remind you to take a break. To stretch your legs a little or the time of your next meeting.
3. Listen to your favorite podcasts or music while working
If you are a fan of headphones at work to mask the noise of the open-space and concentrate on your work while listening to your playlist of the moment, at home, you can drop the headphones! So take advantage of your smart and connected speaker which has a very correct sound for background music at work. To do this, simply link your favorite music service (Spotify, Deezer, etc.) or Amazon Music and ask Alexa to play your music!
4. Use Alexa as a sports coach to stay active even when working remotely
If losing track of time is easy when working from home, losing track of your health (or simply neglecting it) is even easier. Indeed, the disadvantage of teleworking is that your daily trips are often limited to going from one room to another in the house. Whereas when you go to the site, you have to take transport, walk… All this represents a minimum of exercise that you no longer do at home.
5. Adjust room light intelligently with Alexa
Finally, how to talk aboutAlexa on this blog without mentioning the management of the smart home. Function in which the assistant excels and makes it very easy to do what was sometimes complicated for a novice with a complete home automation installation.
Adapt the opening of the shutters as the sun advances just as easily
Still without going through a heavy home automation installation, if you have a south-facing office, that’s great, but sometimes too much sun in the room will have the effect of causing reflections on your PC screen and that’s not always very practical to work efficiently. Here again Alexa can help you adjust the opening and closing of roller shutters very simply. Simply install a relay module or a connected switch on your shutter control, associate it with your Alexa application, and let your Amazon Echo act on the shutter for you. Here again we have made a small selection of compatible modules for you.
Conclusion, the Amazon Echo is a great everyday assistant, even for work
I have only retained 5 common uses here, but there are many more. After years of working from home, here you have 5 of my most common Alexa uses during my work-at-home days. But you may have other interesting uses of the assistant during your Homework days, do not hesitate to let us know in the comments, it’s always interesting.
Perhaps you also do coworking at home, know that there too the assistant can be very useful. I invite you to discover the personalized recognition functions explained in the test of the new Echo Show 15.