New Attack Manipulates Amazon Devices
Table of Contents
- By David Lukic
- Published: Mar 08, 2022
- Last Updated: Mar 18, 2022
Digital security researchers have figured out how to manipulate Amazon’s popular Echo device. The smart device has the potential to be remotely manipulated by way of its own speakers.
Who Discovered the Novel Attack?
The attack potential was identified by cyber security researchers at the University of Catania and the University of London. These researchers determined it is possible to weaponize the Echo device, essentially creating the potential for the computing machine to hack itself.
What is the Attack all About?
The novel attack is referred to as Alexa vs. Alexa. This attack makes use of a vulnerability that those in the cyber security industry refer to as a command self-issue. The attack uses recorded messages that prompt the device’s speaker to complete actions without user directives.
The attack is specific to Amazon Echos that are in the third and fourth generations.
Amazon Echo smart speakers are idle until a person verbalizes a key phrase for activation. However, the attack detailed above indicates it is possible to control the device without the owner issuing the activation command. It merely takes the use of an audio file generated by the Echo itself that has a voice command. If the Echo requests secondary confirmation to complete a specific action, the adversary merely needs to provide an affirmation within six seconds of the request to trigger the device into following the command.
How is the Attack Conducted?
Hackers can activate Amazon Echo devices through a laptop that is within range for Bluetooth pairing or using a smartphone. As long as the hacker is within a reasonable distance from the Echo in question, he or she can issue the command, access the Echo, disconnect, and then reconnect without completing the pairing process in the future. It is even possible for the attack to occur days after the initial pairing is performed.
Is There Any Other Way to Hack Echo Devices?
It is even possible for hackers to tap into a target’s Amazon Echo through a web-based radio station. The hacker beams directly to the targeted device, similar to a command-and-control server. This approach works remotely, setting the stage for the hacker to access several devices in unison. Though the target would have to be fooled into downloading a harmful Alexa skill application to the device, plenty of Echo owners who lack tech-savvy would be willing to do so.
Why is the Hack a Problem?
The Alexa vs. Alexa hack creates an opportunity for digital miscreants to compromise applications downloaded to the Echo. Hackers can use the device to stalk users, control appliances within the office or house, make phone calls, and even place orders through Amazon’s popular shopping platform through an account takeover. A hacker could access the Echo to hike the building’s temperature, unlock smart doors, activate smart microwave ovens, and turn on the lights whenever desired.
Is This the First Echo Security Flaw?
No. Amazon’s Echo devices have been in the news as a result of several privacy issues, including audio recordings being transmitted to amazon servers, microphones picking up on nearby activity, and more. In particular, those living in densely populated cities face heightened risk as they are in closer physical proximity to others, including those who might perform the Alexa vs. Alexa hack.